CVE-2015-3189
LOWCloud Foundry Runtime <v208, UAA Standalone <2.2.5, Pivotal Cloud F...
Title source: llmDescription
With Cloud Foundry Runtime cf-release versions v208 or earlier, UAA Standalone versions 2.2.5 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier, old Password Reset Links are not expired after the user changes their current email address to a new one. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://pivotal.io/security/cve-2015-3189
Scores
CVSS v3
3.7
EPSS
0.0082
EPSS Percentile
52.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-640
Status
published
Products (7)
cloudfoundry/cf-release
< 208
org.cloudfoundry.identity/cloudfoundry-identity-server
0 - 2.2.5Maven
Pivotal/Cloud Foundry
Runtime 1.4.5 or earlier
Pivotal/Cloud Foundry
Runtime cf-release versions v208 or earlier
Pivotal/Cloud Foundry
UAA Standalone versions 2.2.5 or earlier
pivotal_software/cloud_foundry_elastic_runtime
< 1.4.5
pivotal_software/cloud_foundry_uaa
< 2.2.5
Published
May 25, 2017
Tracked Since
Feb 18, 2026