CVE-2016-3084
high
CVSS v3
8.1
CVSS v2
4.3
VIR risk
8.1
Description
Cloud Foundry UAA reset password vulnerable to brute force attack
Predictions
Exploit likelihood
88%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: security_alert@emc.com — https://pivotal.io/security/cve-2016-3084
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.cloudfoundry.identity:cloudfoundry-identity-server | <3.3.0.1 | 3.3.0.1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| cloudfoundry | cloud_foundry_uaa_bosh | {"endIncluding":"10"} | |
| pivotal_software | cloud_foundry | {"endIncluding":"236"} | |
| pivotal_software | cloud_foundry_elastic_runtime | {"endIncluding":"1.7.1"} | |
| pivotal_software | cloud_foundry_uaa | {"endIncluding":"3.3.0"} | |
| pivotal_software | login-server | - | |
References
- https://pivotal.io/security/cve-2016-3084
- https://nvd.nist.gov/vuln/detail/CVE-2016-3084
- https://github.com/cloudfoundry/uaa/commit/14350228989e2aee900b8d48a848293bb5152b6f
- https://github.com/cloudfoundry/uaa/commit/1d3ad7399d010f6a29dc3bf8139d792121301ab8
- https://github.com/cloudfoundry/uaa/commit/460627ed419e4227b10ff121248b3ffc009011a9
- https://github.com/cloudfoundry/uaa/commit/4a119d314744460ed56bcd740b2e913bf3f560c1
- https://github.com/cloudfoundry/uaa/commit/5c2377487bef9d716d5c8e5717df1fc00bc7b000
- https://github.com/cloudfoundry/uaa/commit/66132926f1bac0b878da5841be2f93fa5075d88f
- https://github.com/cloudfoundry/uaa/commit/b3834364ab573e9655348193780a56a602fe87b7
- https://github.com/cloudfoundry/uaa
CWEs
CWE-264
Verify integrity in audit chain (admin only). AS-IS.