PT-2017-6641 · Cloud Foundry+1 · Cloud Foundry Runtime+2
Published
2017-05-25
·
Updated
2022-05-13
·
CVE-2015-3189
CVSS v2.0
4.3
Medium
| Vector | AV:N/AC:M/Au:N/C:P/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Cloud Foundry Runtime cf-release versions v208 or earlier
UAA Standalone versions 2.2.5 or earlier
Pivotal Cloud Foundry Runtime versions 1.4.5 or earlier
Description
The issue arises when a user changes their email address, and old password reset links are not expired. This is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected.
Recommendations
For Cloud Foundry Runtime cf-release versions v208 or earlier, update to a version later than v208 to resolve the issue.
For UAA Standalone versions 2.2.5 or earlier, update to a version later than 2.2.5 to resolve the issue.
For Pivotal Cloud Foundry Runtime versions 1.4.5 or earlier, update to a version later than 1.4.5 to resolve the issue.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cloud Foundry Runtime
Pivotal Cloud Foundry Runtime
Uaa