CVE-2016-3084

HIGH

Cloudfoundry Cloud Foundry Uaa Bosh < 10 - Access Control

Title source: rule

Description

The UAA reset password flow in Cloud Foundry release v236 and earlier versions, UAA release v3.3.0 and earlier versions, all versions of Login-server, UAA release v10 and earlier versions and Pivotal Elastic Runtime versions prior to 1.7.2 is vulnerable to a brute force attack due to multiple active codes at a given time. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected.

References (1)

[Vendor Advisory] https://pivotal.io/security/cve-2016-3084

Scores

CVSS v3 8.1

EPSS 0.0034

EPSS Percentile 56.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-264

Status draft

Affected Products (6)

cloudfoundry/cloud_foundry_uaa_bosh < 10

pivotal_software/cloud_foundry < 236

pivotal_software/cloud_foundry_elastic_runtime < 1.7.1

pivotal_software/cloud_foundry_uaa < 3.3.0

pivotal_software/login-server

org.cloudfoundry.identity/cloudfoundry-identity-server < 3.3.0.1Maven

Timeline

Published May 25, 2017

Tracked Since Feb 18, 2026