CVE-2015-5173

high

Published 2017-10-24 · Modified 2026-05-13

CVSS v3

8.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2

6.8

VIR risk

8.8

Description

Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact via vectors involving emails with password recovery links, aka "Cross Domain Referer Leakage."

Predictions

Exploit likelihood

92%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — https://pivotal.io/security/cve-2015-5170-5173

Application impact

Vendor	Product	Versions	Fixed
cloudfoundry	cf-release	`{"endExcluding":"216"}`	`216`
pivotal_software	cloud_foundry_elastic_runtime	`{"endExcluding":"1.7.0"}`	`1.7.0`
pivotal_software	cloud_foundry_uaa	`{"endExcluding":"2.5.2"}`	`2.5.2`

References

https://pivotal.io/security/cve-2015-5170-5173
https://pivotal.io/security/cve-2015-5170-5173

CWEs

CWE-200

Verify integrity in audit chain (admin only). AS-IS.