VIR Vulnerability Intelligence Relay

CVE-2017-4992

critical
Published 2017-06-13 · Modified 2024-03-01
CVSS v3
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2
7.5
VIR risk
9.8

Description

Cloud Foundry UAA privilege escalation with user invitations

Predictions

Exploit likelihood
97%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: security_alert@emc.com — https://www.cloudfoundry.org/cve-2017-4992/

Package impact
EcosystemPackageVulnerableFixed
java Mavenorg.cloudfoundry.identity:cloudfoundry-identity-server>=2.0.0,<2.7.4.172.7.4.17
java Mavenorg.cloudfoundry.identity:cloudfoundry-identity-server>=3.0.0,<3.6.113.6.11
java Mavenorg.cloudfoundry.identity:cloudfoundry-identity-server>=3.7.0,<3.9.133.9.13
java Mavenorg.cloudfoundry.identity:cloudfoundry-identity-server>=3.10.0,<4.2.04.2.0

Application impact
VendorProductVersionsFixed
cloudfoundrycf-release{"endIncluding":"260"}
cloudfoundrycloud_foundry_uaa_bosh{"endIncluding":"27"}
cloudfoundrycloud_foundry_uaa_bosh13.1
cloudfoundrycloud_foundry_uaa_bosh13.2
cloudfoundrycloud_foundry_uaa_bosh13.3
cloudfoundrycloud_foundry_uaa_bosh13.4
cloudfoundrycloud_foundry_uaa_bosh13.5
cloudfoundrycloud_foundry_uaa_bosh13.6
cloudfoundrycloud_foundry_uaa_bosh13.7
cloudfoundrycloud_foundry_uaa_bosh13.8
cloudfoundrycloud_foundry_uaa_bosh13.9
cloudfoundrycloud_foundry_uaa_bosh13.10
cloudfoundrycloud_foundry_uaa_bosh13.11
cloudfoundrycloud_foundry_uaa_bosh13.12
cloudfoundrycloud_foundry_uaa_bosh13.13
cloudfoundrycloud_foundry_uaa_bosh13.14
cloudfoundrycloud_foundry_uaa_bosh24
cloudfoundrycloud_foundry_uaa_bosh24.1
cloudfoundrycloud_foundry_uaa_bosh24.2
cloudfoundrycloud_foundry_uaa_bosh24.3
cloudfoundrycloud_foundry_uaa_bosh24.4
cloudfoundrycloud_foundry_uaa_bosh24.5
cloudfoundrycloud_foundry_uaa_bosh24.6
cloudfoundrycloud_foundry_uaa_bosh24.7
cloudfoundrycloud_foundry_uaa_bosh24.8
cloudfoundrycloud_foundry_uaa_bosh24.9
cloudfoundrycloud_foundry_uaa_bosh30
cloudfoundrycloud_foundry_uaa_bosh30.1
cloudfoundrycloud_foundry_uaa_bosh30.2
pivotal_softwarecloud_foundry_uaa{"endIncluding":"4.2.0"}
pivotal_softwarecloud_foundry_uaa2.2.5.4
pivotal_softwarecloud_foundry_uaa2.7.1
pivotal_softwarecloud_foundry_uaa2.7.2
pivotal_softwarecloud_foundry_uaa2.7.3
pivotal_softwarecloud_foundry_uaa2.7.4
pivotal_softwarecloud_foundry_uaa2.7.4.1
pivotal_softwarecloud_foundry_uaa2.7.4.2
pivotal_softwarecloud_foundry_uaa2.7.4.3
pivotal_softwarecloud_foundry_uaa2.7.4.4
pivotal_softwarecloud_foundry_uaa2.7.4.5
pivotal_softwarecloud_foundry_uaa2.7.4.6
pivotal_softwarecloud_foundry_uaa2.7.4.7
pivotal_softwarecloud_foundry_uaa2.7.4.8
pivotal_softwarecloud_foundry_uaa2.7.4.9
pivotal_softwarecloud_foundry_uaa2.7.4.11
pivotal_softwarecloud_foundry_uaa2.7.4.12
pivotal_softwarecloud_foundry_uaa2.7.4.13
pivotal_softwarecloud_foundry_uaa2.7.4.14
pivotal_softwarecloud_foundry_uaa2.7.4.15
pivotal_softwarecloud_foundry_uaa2.7.4.16
pivotal_softwarecloud_foundry_uaa3.6.1
pivotal_softwarecloud_foundry_uaa3.6.2
pivotal_softwarecloud_foundry_uaa3.6.3
pivotal_softwarecloud_foundry_uaa3.6.4
pivotal_softwarecloud_foundry_uaa3.6.5
pivotal_softwarecloud_foundry_uaa3.6.6
pivotal_softwarecloud_foundry_uaa3.6.7
pivotal_softwarecloud_foundry_uaa3.6.8
pivotal_softwarecloud_foundry_uaa3.6.9
pivotal_softwarecloud_foundry_uaa3.6.10
pivotal_softwarecloud_foundry_uaa3.9.1
pivotal_softwarecloud_foundry_uaa3.9.2
pivotal_softwarecloud_foundry_uaa3.9.3
pivotal_softwarecloud_foundry_uaa3.9.4
pivotal_softwarecloud_foundry_uaa3.9.5
pivotal_softwarecloud_foundry_uaa3.9.6
pivotal_softwarecloud_foundry_uaa3.9.7
pivotal_softwarecloud_foundry_uaa3.9.8
pivotal_softwarecloud_foundry_uaa3.9.9
pivotal_softwarecloud_foundry_uaa3.9.10
pivotal_softwarecloud_foundry_uaa3.9.11
pivotal_softwarecloud_foundry_uaa3.9.12
pivotal_softwarecloud_foundry_uaa3.9.13

References

CWEs

CWE-269

Verify integrity in audit chain (admin only). AS-IS.