VIR Vulnerability Intelligence Relay

CVE-2017-4974

medium
Published 2017-06-13 · Modified 2024-03-01
CVSS v3
6.5
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS v2
4.0
VIR risk
6.5

Description

Blind SQL Injection with privileged Cloud Foundry UAA endpoints

Predictions

Exploit likelihood
75%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: security_alert@emc.com — https://www.cloudfoundry.org/cve-2017-4974/

Package impact
EcosystemPackageVulnerableFixed
java Mavenorg.cloudfoundry.identity:cloudfoundry-identity-server>=2.0.0,<2.7.4.152.7.4.15
java Mavenorg.cloudfoundry.identity:cloudfoundry-identity-server>=3.0.0,<3.6.93.6.9
java Mavenorg.cloudfoundry.identity:cloudfoundry-identity-server>=3.7.0,<3.9.113.9.11
java Mavenorg.cloudfoundry.identity:cloudfoundry-identity-server>=3.10.0,<3.16.03.16.0

Application impact
VendorProductVersionsFixed
cloudfoundrycf-release{"endIncluding":"v257"}
cloudfoundrycloud_foundry_uaa_bosh{"endIncluding":"30"}
cloudfoundrycloud_foundry_uaa_bosh13.1
cloudfoundrycloud_foundry_uaa_bosh13.2
cloudfoundrycloud_foundry_uaa_bosh13.3
cloudfoundrycloud_foundry_uaa_bosh13.4
cloudfoundrycloud_foundry_uaa_bosh13.5
cloudfoundrycloud_foundry_uaa_bosh13.6
cloudfoundrycloud_foundry_uaa_bosh13.7
cloudfoundrycloud_foundry_uaa_bosh13.8
cloudfoundrycloud_foundry_uaa_bosh13.9
cloudfoundrycloud_foundry_uaa_bosh13.10
cloudfoundrycloud_foundry_uaa_bosh13.11
cloudfoundrycloud_foundry_uaa_bosh13.12
cloudfoundrycloud_foundry_uaa_bosh24
cloudfoundrycloud_foundry_uaa_bosh24.1
cloudfoundrycloud_foundry_uaa_bosh24.2
cloudfoundrycloud_foundry_uaa_bosh24.3
cloudfoundrycloud_foundry_uaa_bosh24.4
cloudfoundrycloud_foundry_uaa_bosh24.5
cloudfoundrycloud_foundry_uaa_bosh24.6
cloudfoundrycloud_foundry_uaa_bosh24.7
cloudfoundrycloud_foundry_uaa_bosh30.1
cloudfoundrycloud_foundry_uaa_bosh30.2
cloudfoundrycloud_foundry_uaa_bosh30.3
pivotal_softwarecloud_foundry_uaa{"endIncluding":"4.2.0"}
pivotal_softwarecloud_foundry_uaa2.2.5.4
pivotal_softwarecloud_foundry_uaa2.7.1
pivotal_softwarecloud_foundry_uaa2.7.2
pivotal_softwarecloud_foundry_uaa2.7.3
pivotal_softwarecloud_foundry_uaa2.7.4
pivotal_softwarecloud_foundry_uaa2.7.4.1
pivotal_softwarecloud_foundry_uaa2.7.4.2
pivotal_softwarecloud_foundry_uaa2.7.4.3
pivotal_softwarecloud_foundry_uaa2.7.4.4
pivotal_softwarecloud_foundry_uaa2.7.4.5
pivotal_softwarecloud_foundry_uaa2.7.4.6
pivotal_softwarecloud_foundry_uaa2.7.4.7
pivotal_softwarecloud_foundry_uaa2.7.4.8
pivotal_softwarecloud_foundry_uaa2.7.4.9
pivotal_softwarecloud_foundry_uaa2.7.4.11
pivotal_softwarecloud_foundry_uaa2.7.4.12
pivotal_softwarecloud_foundry_uaa2.7.4.13
pivotal_softwarecloud_foundry_uaa2.7.4.14
pivotal_softwarecloud_foundry_uaa3.6.1
pivotal_softwarecloud_foundry_uaa3.6.2
pivotal_softwarecloud_foundry_uaa3.6.3
pivotal_softwarecloud_foundry_uaa3.6.4
pivotal_softwarecloud_foundry_uaa3.6.5
pivotal_softwarecloud_foundry_uaa3.6.6
pivotal_softwarecloud_foundry_uaa3.6.7
pivotal_softwarecloud_foundry_uaa3.6.8
pivotal_softwarecloud_foundry_uaa3.9.1
pivotal_softwarecloud_foundry_uaa3.9.2
pivotal_softwarecloud_foundry_uaa3.9.3
pivotal_softwarecloud_foundry_uaa3.9.4
pivotal_softwarecloud_foundry_uaa3.9.5
pivotal_softwarecloud_foundry_uaa3.9.6
pivotal_softwarecloud_foundry_uaa3.9.7
pivotal_softwarecloud_foundry_uaa3.9.8
pivotal_softwarecloud_foundry_uaa3.9.9
pivotal_softwarecloud_foundry_uaa3.9.10
pivotal_softwarecloud_foundry_uaa3.9.12
pivotal_softwarecloud_foundry_uaa3.9.13

References

CWEs

CWE-89

Verify integrity in audit chain (admin only). AS-IS.