Filtered by vendor Pivotal Software Subscriptions
Total 145 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2016-0896 1 Pivotal Software 1 Cloud Foundry Elastic Runtime 2024-11-21 N/A
Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.34 and 1.7.x before 1.7.12 places 169.254.0.0/16 in the all_open Application Security Group, which might allow remote attackers to bypass intended network-connectivity restrictions by leveraging access to the 169.254.169.254 address.
CVE-2016-0883 1 Pivotal Software 1 Operations Manager 2024-11-21 N/A
Pivotal Cloud Foundry (PCF) Ops Manager before 1.5.14 and 1.6.x before 1.6.9 uses the same cookie-encryption key across different customers' installations, which allows remote attackers to bypass session authentication by leveraging knowledge of this key from another installation.
CVE-2016-0781 2 Cloudfoundry, Pivotal Software 5 Cloud Foundry Uaa Bosh, Cloud Foundry, Cloud Foundry Elastic Runtime and 2 more 2024-11-21 N/A
The UAA OAuth approval pages in Cloud Foundry v208 to v231, Login-server v1.6 to v1.14, UAA v2.0.0 to v2.7.4.1, UAA v3.0.0 to v3.2.0, UAA-Release v2 to v7 and Pivotal Elastic Runtime 1.6.x versions prior to 1.6.20 are vulnerable to an XSS attack by specifying malicious java script content in either the OAuth scopes (SCIM groups) or SCIM group descriptions.
CVE-2016-0780 2 Cloudfoundry, Pivotal Software 2 Cf-release, Cloud Foundry Elastic Runtime 2024-11-21 7.5 High
It was discovered that cf-release v231 and lower, Pivotal Cloud Foundry Elastic Runtime 1.5.x versions prior to 1.5.17 and Pivotal Cloud Foundry Elastic Runtime 1.6.x versions prior to 1.6.18 do not properly enforce disk quotas in certain cases. An attacker could use an improper disk quota value to bypass enforcement and consume all the disk on DEAs/CELLs causing a potential denial of service for other applications.
CVE-2016-0761 2 Cloudfoundry, Pivotal Software 2 Garden Linux, Cloud Foundry Elastic Runtime 2024-11-21 9.8 Critical
Cloud Foundry Garden-Linux versions prior to v0.333.0 and Elastic Runtime 1.6.x version prior to 1.6.17 contain a flaw in managing container files during Docker image preparation that could be used to delete, corrupt or overwrite host files and directories, including other container filesystems on the host.
CVE-2016-0715 1 Pivotal Software 1 Cloud Foundry Elastic Runtime 2024-11-21 N/A
Pivotal Cloud Foundry Elastic Runtime version 1.4.0 through 1.4.5, 1.5.0 through 1.5.11 and 1.6.0 through 1.6.11 is vulnerable to a remote information disclosure. It was found that original mitigation configuration instructions provided as part of CVE-2016-0708 were incomplete and could leave PHP Buildpack, Staticfile Buildpack and potentially other custom Buildpack applications vulnerable to remote information disclosure. Affected applications use automated buildpack detection, serve files directly from the root of the application and have a buildpack that matched after the Java Buildpack in the system buildpack priority when Java Buildpack versions 2.0 through 3.4 were present.
CVE-2015-8786 3 Oracle, Pivotal Software, Redhat 3 Solaris, Rabbitmq, Openstack 2024-11-21 N/A
The Management plugin in RabbitMQ before 3.6.1 allows remote authenticated users with certain privileges to cause a denial of service (resource consumption) via the (1) lengths_age or (2) lengths_incr parameter.
CVE-2015-5173 2 Cloudfoundry, Pivotal Software 3 Cf-release, Cloud Foundry Elastic Runtime, Cloud Foundry Uaa 2024-11-21 8.8 High
Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact via vectors involving emails with password recovery links, aka "Cross Domain Referer Leakage."
CVE-2015-5172 2 Cloudfoundry, Pivotal Software 3 Cf-release, Cloud Foundry Elastic Runtime, Cloud Foundry Uaa 2024-11-21 9.8 Critical
Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire password reset links.
CVE-2015-5171 2 Cloudfoundry, Pivotal Software 3 Cf-release, Cloud Foundry Elastic Runtime, Cloud Foundry Uaa 2024-11-21 9.8 Critical
The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire existing sessions.
CVE-2015-5170 2 Cloudfoundry, Pivotal Software 3 Cf-release, Cloud Foundry Elastic Runtime, Cloud Foundry Uaa 2024-11-21 8.8 High
Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow remote attackers to conduct cross-site request forgery (CSRF) attacks on PWS and log a user into an arbitrary account by leveraging lack of CSRF checks.
CVE-2015-3192 4 Fedoraproject, Pivotal Software, Redhat and 1 more 8 Fedora, Spring Framework, Jboss Amq and 5 more 2024-11-21 N/A
Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.
CVE-2015-3191 2 Cloudfoundry, Pivotal Software 3 Cf-release, Cloud Foundry Elastic Runtime, Cloud Foundry Uaa 2024-11-21 8.8 High
With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA Standalone versions 2.2.6 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier the change_email form in UAA is vulnerable to a CSRF attack. This allows an attacker to trigger an e-mail change for a user logged into a cloud foundry instance via a malicious link on a attacker controlled site. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected.
CVE-2015-3190 2 Cloudfoundry, Pivotal Software 3 Cf-release, Cloud Foundry Elastic Runtime, Cloud Foundry Uaa 2024-11-21 6.1 Medium
With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA Standalone versions 2.2.6 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier the UAA logout link is susceptible to an open redirect which allows an attacker to insert malicious web page as a redirect parameter.
CVE-2015-3189 2 Cloudfoundry, Pivotal Software 3 Cf-release, Cloud Foundry Elastic Runtime, Cloud Foundry Uaa 2024-11-21 3.7 Low
With Cloud Foundry Runtime cf-release versions v208 or earlier, UAA Standalone versions 2.2.5 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier, old Password Reset Links are not expired after the user changes their current email address to a new one. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected.
CVE-2015-1834 2 Cloudfoundry, Pivotal Software 2 Cf-release, Cloud Foundry Elastic Runtime 2024-11-21 6.5 Medium
A path traversal vulnerability was identified in the Cloud Foundry component Cloud Controller that affects cf-release versions prior to v208 and Pivotal Cloud Foundry Elastic Runtime versions prior to 1.4.2. Path traversal is the 'outbreak' of a given directory structure through relative file paths in the user input. It aims at accessing files and directories that are stored outside the web root folder, for disallowed reading or even executing arbitrary system commands. An attacker could use a certain parameter of the file path for instance to inject '../' sequences in order to navigate through the file system. In this particular case a remote authenticated attacker can exploit the identified vulnerability in order to upload arbitrary files to the server running a Cloud Controller instance - outside the isolated application container.
CVE-2015-0862 1 Pivotal Software 1 Rabbitmq Management 2024-11-21 N/A
Multiple cross-site scripting (XSS) vulnerabilities in the management web UI in the RabbitMQ management plugin before 3.4.3 allow remote authenticated users to inject arbitrary web script or HTML via (1) message details when a message is unqueued, such as headers or arguments; (2) policy names, which are not properly handled when viewing policies; (3) details for AMQP network clients, such as the version; allow remote authenticated administrators to inject arbitrary web script or HTML via (4) user names, (5) the cluster name; or allow RabbitMQ cluster administrators to (6) modify unspecified content.
CVE-2015-0201 2 Pivotal Software, Vmware 2 Spring Framework, Spring Framework 2024-11-21 N/A
The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors.
CVE-2014-9494 1 Pivotal Software 1 Rabbitmq 2024-11-21 N/A
RabbitMQ before 3.4.0 allows remote attackers to bypass the loopback_users restriction via a crafted X-Forwareded-For header.
CVE-2014-3625 3 Pivotal Software, Redhat, Vmware 7 Spring Framework, Jboss Amq, Jboss Bpms and 4 more 2024-11-21 N/A
Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.