CVE-2015-3191

Name of the Vulnerable Software and Affected Versions Cloud Foundry Runtime cf-release versions v209 or earlier UAA Standalone versions 2.2.6 or earlier Pivotal Cloud Foundry Runtime versions 1.4.5 or earlier

Description The change email form in UAA is susceptible to a CSRF attack, allowing an attacker to initiate an email change for a user logged into a Cloud Foundry instance via a malicious link on an attacker-controlled site. This issue only affects deployments using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected.

Recommendations For Cloud Foundry Runtime cf-release versions v209 or earlier, update to a version later than v209 to resolve the issue. For UAA Standalone versions 2.2.6 or earlier, update to a version later than 2.2.6 to resolve the issue. For Pivotal Cloud Foundry Runtime versions 1.4.5 or earlier, update to a version later than 1.4.5 to resolve the issue.