Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Pivotal Software Subscribe
Filtered by product Cloud Foundry Elastic Runtime
Total 28 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2016-5016 1 Pivotal Software 4 Cloud Foundry, Cloud Foundry Elastic Runtime, Cloud Foundry Uaa and 1 more 2019-02-26 4.3 MEDIUM 5.9 MEDIUM
Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before 1.6.35, and PCF Elastic Runtime 1.7.x before 1.7.13 does not validate if a certificate is expired.
CVE-2016-0926 1 Pivotal Software 1 Cloud Foundry Elastic Runtime 2019-02-20 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in Apps Manager in Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.32 and 1.7.x before 1.7.8 allows remote attackers to inject arbitrary web script or HTML via unspecified input that improperly interacts with the AngularJS framework.
CVE-2016-6658 2 Cloudfoundry, Pivotal Software 2 Cf-release, Cloud Foundry Elastic Runtime 2018-04-24 4.0 MEDIUM 9.6 CRITICAL
Applications in cf-release before 245 can be configured and pushed with a user-provided custom buildpack using a URL pointing to the buildpack. Although it is not recommended, a user can specify a credential in the URL (basic auth or OAuth) to access the buildpack through the CLI. For example, the user could include a GitHub username and password in the URL to access a private repo. Because the URL to access the buildpack is stored unencrypted, an operator with privileged access to the Cloud Controller database could view these credentials.
CVE-2017-2773 1 Pivotal Software 1 Cloud Foundry Elastic Runtime 2017-07-03 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Pivotal PCF Elastic Runtime 1.6.x versions prior to 1.6.60, 1.7.x versions prior to 1.7.41, 1.8.x versions prior to 1.8.23, and 1.9.x versions prior to 1.9.1. Incomplete validation logic in JSON Web Token (JWT) libraries can allow unprivileged attackers to impersonate other users in multiple components included in PCF Elastic Runtime, aka an "Unauthenticated JWT signing algorithm in multiple components" issue.
CVE-2016-5006 1 Pivotal Software 2 Cloud Foundry, Cloud Foundry Elastic Runtime 2017-05-11 5.0 MEDIUM 9.8 CRITICAL
The Cloud Controller in Cloud Foundry before 239 logs user-provided service objects at creation, which allows attackers to obtain sensitive user credential information via unspecified vectors.
CVE-2016-6657 1 Pivotal Software 2 Cloud Foundry Elastic Runtime, Cloud Foundry Ops Manager 2016-12-22 5.8 MEDIUM 7.4 HIGH
An open redirect vulnerability has been detected with some Pivotal Cloud Foundry Elastic Runtime components. Users of affected versions should apply the following mitigation: Upgrade PCF Elastic Runtime 1.8.x versions to 1.8.12 or later. Upgrade PCF Ops Manager 1.7.x versions to 1.7.18 or later and 1.8.x versions to 1.8.10 or later.
CVE-2016-0896 1 Pivotal Software 1 Cloud Foundry Elastic Runtime 2016-11-28 7.5 HIGH 7.3 HIGH
Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.34 and 1.7.x before 1.7.12 places 169.254.0.0/16 in the all_open Application Security Group, which might allow remote attackers to bypass intended network-connectivity restrictions by leveraging access to the 169.254.169.254 address.
CVE-2016-0927 1 Pivotal Software 1 Cloud Foundry Elastic Runtime 2016-09-30 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in Pivotal Cloud Foundry (PCF) Ops Manager before 1.6.17 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.