CVE-2017-8040
medium
CVSS v3
6.5
CVSS v2
4.0
VIR risk
6.5
Description
In Single Sign-On for Pivotal Cloud Foundry (PCF) 1.3.x versions prior to 1.3.4 and 1.4.x versions prior to 1.4.3, an XXE (XML External Entity) attack was discovered in the Single Sign-On service dashboard. Privileged users can in some cases upload malformed XML leading to exposure of data on the Single Sign-On service broker file system.
Predictions
Exploit likelihood
75%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: security_alert@emc.com — https://pivotal.io/security/cve-2017-8040
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| vmware | single_sign-on_for_pivotal_cloud_foundry | 1.3.0 | |
| vmware | single_sign-on_for_pivotal_cloud_foundry | 1.3.2 | |
| vmware | single_sign-on_for_pivotal_cloud_foundry | 1.3.3 | |
| vmware | single_sign-on_for_pivotal_cloud_foundry | 1.4.0 | |
| vmware | single_sign-on_for_pivotal_cloud_foundry | 1.4.1 | |
| vmware | single_sign-on_for_pivotal_cloud_foundry | 1.4.2 | |
| vmware | single_sign-on_for_pivotal_cloud_foundry | 1.4.3 | |
References
CWEs
CWE-611
Verify integrity in audit chain (admin only). AS-IS.