CVE-2015-3191

HIGH

Cloud Foundry Runtime <v209 - CSRF

Title source: llm
STIX 2.1

Description

With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA Standalone versions 2.2.6 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier the change_email form in UAA is vulnerable to a CSRF attack. This allows an attacker to trigger an e-mail change for a user logged into a cloud foundry instance via a malicious link on a attacker controlled site. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected.

References (1)

Core 1
Core References
Vendor Advisory x_refsource_confirm
https://pivotal.io/security/cve-2015-3191

Scores

CVSS v3 8.8
EPSS 0.0049
EPSS Percentile 38.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (6)
cloudfoundry/cf-release < 209
Pivotal/Cloud Foundry Runtime 1.4.5 or earlier
Pivotal/Cloud Foundry Runtime cf-release versions v209 or earlier
Pivotal/Cloud Foundry UAA Standalone versions 2.2.6 or earlier
pivotal_software/cloud_foundry_elastic_runtime < 1.4.5
pivotal_software/cloud_foundry_uaa < 2.2.6
Published May 25, 2017
Tracked Since Feb 18, 2026