CVE-2017-4994

HIGH

Cloud Foundry Foundation cf-release <v263 - Info Disclosure

Title source: llm
STIX 2.1

Description

An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v263; UAA release 2.x versions prior to v2.7.4.18, 3.6.x versions prior to v3.6.12, 3.9.x versions prior to v3.9.14, and other versions prior to v4.3.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.16, 24.x versions prior to v24.11, 30.x versions prior to 30.4, and other versions prior to v40. There was an issue with forwarded http headers in UAA that could result in account corruption.

References (1)

Core 1
Core References
Mitigation, Vendor Advisory x_refsource_confirm
https://www.cloudfoundry.org/cve-2017-4994/

Scores

CVSS v3 7.5
EPSS 0.0111
EPSS Percentile 61.8%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-20
Status published
Products (50)
cloudfoundry/cloud_foundry_uaa_bosh 13.1
cloudfoundry/cloud_foundry_uaa_bosh 13.2
cloudfoundry/cloud_foundry_uaa_bosh 13.3
cloudfoundry/cloud_foundry_uaa_bosh 13.4
cloudfoundry/cloud_foundry_uaa_bosh 13.5
cloudfoundry/cloud_foundry_uaa_bosh 13.6
cloudfoundry/cloud_foundry_uaa_bosh 13.7
cloudfoundry/cloud_foundry_uaa_bosh 13.8
cloudfoundry/cloud_foundry_uaa_bosh 13.9
cloudfoundry/cloud_foundry_uaa_bosh 13.10
... and 40 more
Published Jun 13, 2017
Tracked Since Feb 18, 2026