Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Pivotal Software Subscribe
Total 144 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2014-9494 1 Pivotal Software 1 Rabbitmq 2018-08-13 5.0 MEDIUM N/A
RabbitMQ before 3.4.0 allows remote attackers to bypass the loopback_users restriction via a crafted X-Forwareded-For header.
CVE-2018-1276 1 Pivotal Software 1 Windows Stemcells 2018-06-20 4.0 MEDIUM 6.5 MEDIUM
Windows 2012R2 stemcells, versions prior to 1200.17, contain an information exposure vulnerability on vSphere. A remote user with the ability to push apps can execute crafted commands to read the IaaS metadata from the VM, which may contain BOSH credentials.
CVE-2018-1280 1 Pivotal Software 1 Greenplum Command Center 2018-06-14 5.0 MEDIUM 7.5 HIGH
Pivotal Greenplum Command Center versions 2.x prior to 2.5.1 contains a blind SQL injection vulnerability. An unauthenticated user can perform a SQL injection in the command center which results in disclosure of database contents.
CVE-2016-8220 1 Pivotal Software 1 Gemfire 2018-05-23 5.0 MEDIUM 7.5 HIGH
Pivotal Gemfire for PCF, versions 1.6.x prior to 1.6.5.0 and 1.7.x prior to 1.7.1.0, contain an information disclosure vulnerability. The application inadvertently exposed WAN replication credentials at a public route.
CVE-2016-6658 2 Cloudfoundry, Pivotal Software 2 Cf-release, Cloud Foundry Elastic Runtime 2018-04-24 4.0 MEDIUM 9.6 CRITICAL
Applications in cf-release before 245 can be configured and pushed with a user-provided custom buildpack using a URL pointing to the buildpack. Although it is not recommended, a user can specify a credential in the URL (basic auth or OAuth) to access the buildpack through the CLI. For example, the user could include a GitHub username and password in the URL to access a private repo. Because the URL to access the buildpack is stored unencrypted, an operator with privileged access to the Cloud Controller database could view these credentials.
CVE-2018-1200 1 Pivotal Software 1 Pivotal Application Service 2018-04-10 4.3 MEDIUM 6.5 MEDIUM
Apps Manager for PCF (Pivotal Application Service 1.11.x before 1.11.26, 1.12.x before 1.12.14, and 2.0.x before 2.0.5) allows unprivileged remote file read in its container via specially-crafted links.
CVE-2016-9880 1 Pivotal Software 1 Gemfire For Pivotal Cloud Foundry 2018-04-10 7.5 HIGH 9.8 CRITICAL
The GemFire broker for Cloud Foundry 1.6.x before 1.6.5 and 1.7.x before 1.7.1 has multiple API endpoints which do not require authentication and could be used to gain access to the cluster managed by the broker.
CVE-2018-1192 1 Pivotal Software 4 Cloud Foundry Cf-deployment, Cloud Foundry Cf-release, Cloud Foundry Uaa and 1 more 2018-02-28 6.5 MEDIUM 8.8 HIGH
In Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3, the SessionID is logged in audit event logs. An attacker can use the SessionID to impersonate a logged-in user.
CVE-2015-8786 2 Oracle, Pivotal Software 2 Solaris, Rabbitmq 2018-01-04 6.8 MEDIUM 6.5 MEDIUM
The Management plugin in RabbitMQ before 3.6.1 allows remote authenticated users with certain privileges to cause a denial of service (resource consumption) via the (1) lengths_age or (2) lengths_incr parameter.
CVE-2017-8045 1 Pivotal Software 1 Spring Advanced Message Queuing Protocol 2017-12-12 7.5 HIGH 9.8 CRITICAL
In Pivotal Spring AMQP versions prior to 1.7.4, 1.6.11, and 1.5.7, an org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code execution attack.
CVE-2017-14388 1 Pivotal Software 1 Grootfs 2017-11-29 6.8 MEDIUM 7.8 HIGH
Cloud Foundry Foundation GrootFS release 0.3.x versions prior to 0.30.0 do not validate DiffIDs, allowing specially crafted images to poison the grootfs volume cache. For example, this could allow an attacker to provide an image layer that GrootFS would consider to be the Ubuntu base layer.
CVE-2017-2773 1 Pivotal Software 1 Cloud Foundry Elastic Runtime 2017-07-03 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Pivotal PCF Elastic Runtime 1.6.x versions prior to 1.6.60, 1.7.x versions prior to 1.7.41, 1.8.x versions prior to 1.8.23, and 1.9.x versions prior to 1.9.1. Incomplete validation logic in JSON Web Token (JWT) libraries can allow unprivileged attackers to impersonate other users in multiple components included in PCF Elastic Runtime, aka an "Unauthenticated JWT signing algorithm in multiple components" issue.
CVE-2016-6652 1 Pivotal Software 1 Spring Data Jpa 2017-06-30 6.8 MEDIUM 5.6 MEDIUM
SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 (Gosling SR6) and 1.10.x before 1.10.4 (Hopper SR4), when used with a repository that defines a String query using the @Query annotation, allows attackers to execute arbitrary JPQL commands via a sort instance with a function call.
CVE-2016-5006 1 Pivotal Software 2 Cloud Foundry, Cloud Foundry Elastic Runtime 2017-05-11 5.0 MEDIUM 9.8 CRITICAL
The Cloud Controller in Cloud Foundry before 239 logs user-provided service objects at creation, which allows attackers to obtain sensitive user credential information via unspecified vectors.
CVE-2016-9885 1 Pivotal Software 1 Gemfire For Pivotal Cloud Foundry 2017-01-10 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Pivotal GemFire for PCF 1.6.x versions prior to 1.6.5 and 1.7.x versions prior to 1.7.1. The gfsh (Geode Shell) endpoint, used by operators and application developers to connect to their cluster, is unauthenticated and publicly accessible. Because HTTPS communications are terminated at the gorouter, communications from the gorouter to GemFire clusters are unencrypted. An attacker could run any command available on gfsh and could cause denial of service, lost confidentiality of data, escalate privileges, or eavesdrop on other communications between the gorouter and the cluster.
CVE-2016-6657 1 Pivotal Software 2 Cloud Foundry Elastic Runtime, Cloud Foundry Ops Manager 2016-12-22 5.8 MEDIUM 7.4 HIGH
An open redirect vulnerability has been detected with some Pivotal Cloud Foundry Elastic Runtime components. Users of affected versions should apply the following mitigation: Upgrade PCF Elastic Runtime 1.8.x versions to 1.8.12 or later. Upgrade PCF Ops Manager 1.7.x versions to 1.7.18 or later and 1.8.x versions to 1.8.10 or later.
CVE-2016-6656 1 Pivotal Software 1 Greenplum 2016-12-21 6.5 MEDIUM 7.2 HIGH
An issue was discovered in Pivotal Greenplum before 4.3.10.0. Creation of external tables using GPHDFS protocol has a vulnerability whereby arbitrary commands can be injected into the system. In order to exploit this vulnerability the user must have superuser 'gpadmin' access to the system or have been granted GPHDFS protocol permissions in order to create a GPHDFS external table.
CVE-2016-6653 1 Pivotal Software 1 Cloud Foundry Cf Mysql 2016-11-28 5.0 MEDIUM 7.5 HIGH
The MariaDB audit_plugin component in Pivotal Cloud Foundry (PCF) cf-mysql-release 27 and 28 allows remote attackers to obtain sensitive information by reading syslog messages, as demonstrated by cleartext credentials.
CVE-2016-0929 1 Pivotal Software 1 Rabbitmq 2016-11-28 5.0 MEDIUM 7.5 HIGH
The metrics-collection component in RabbitMQ for Pivotal Cloud Foundry (PCF) 1.6.x before 1.6.4 logs command lines of failed commands, which might allow context-dependent attackers to obtain sensitive information by reading the log data, as demonstrated by a syslog message that contains credentials from a command line.
CVE-2016-0896 1 Pivotal Software 1 Cloud Foundry Elastic Runtime 2016-11-28 7.5 HIGH 7.3 HIGH
Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.34 and 1.7.x before 1.7.12 places 169.254.0.0/16 in the all_open Application Security Group, which might allow remote attackers to bypass intended network-connectivity restrictions by leveraging access to the 169.254.169.254 address.