Base Score

CRITICAL9.6

CVE-2016-6637

Multiple cross-site request forgery (CSRF) vulnerabilities in Pivotal Cloud Foundry (PCF) before 242; UAA 2.x before 2.7.4.7, 3.x before 3.3.0.5, and 3.4.x before 3.4.4; UAA BOSH before 11.5 and 12.x before 12.5; Elastic Runtime before 1.6.40, 1.7.x before 1.7.21, and 1.8.x before 1.8.2; and Ops Manager 1.7.x before 1.7.13 and 1.8.x before 1.8.1 allow remote attackers to hijack the authentication of unspecified victims for requests that approve or deny a scope via a profile or authorize approval page.

VectorNETWORK

Published Bysecurity_alert@emc.com

Published DateSep 30, 2016, 00:59

Affected Versions(4)

org.cloudfoundry.identity:cloudfoundry-identity-server(Maven)

Introduced2.0.0

Fixed2.7.4.7

LimitN/A

org.cloudfoundry.identity:cloudfoundry-identity-server(Maven)

Introduced3.0.0

Fixed3.3.0.5

LimitN/A

org.cloudfoundry.identity:cloudfoundry-identity-server(Maven)

Introduced3.4.0

Fixed3.4.4

LimitN/A

org.cloudfoundry.identity:cloudfoundry-identity-server(Maven)

Introduced3.5.0

Fixed3.7.0

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.cloudfoundry.identity:cloudfoundry-identity-server(Maven)	2.0.0	2.7.4.7	N/A
org.cloudfoundry.identity:cloudfoundry-identity-server(Maven)	3.0.0	3.3.0.5	N/A
org.cloudfoundry.identity:cloudfoundry-identity-server(Maven)	3.4.0	3.4.4	N/A
org.cloudfoundry.identity:cloudfoundry-identity-server(Maven)	3.5.0	3.7.0	N/A

Weakness Type (CWE):CWE-352

CVSS Metrics

Base Score

9.6

Vector String

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Base Severity

CRITICAL

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

CHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH

References

Base Score

CRITICAL9.6

Weakness Type (CWE):CWE-352

CVSS Metrics

Base Score

9.6

Vector String

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Base Severity

CRITICAL

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

CHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH

CVE-2016-6637

VectorNETWORK

Published Bysecurity_alert@emc.com

Published DateSep 30, 2016, 00:59

Package (Ecosystem)

Introduced

Fixed

Limit

org.cloudfoundry.identity:cloudfoundry-identity-server(Maven)

2.0.0

2.7.4.7

N/A

org.cloudfoundry.identity:cloudfoundry-identity-server(Maven)

3.0.0

3.3.0.5

N/A

org.cloudfoundry.identity:cloudfoundry-identity-server(Maven)

3.4.0

3.4.4

N/A

org.cloudfoundry.identity:cloudfoundry-identity-server(Maven)

3.5.0

3.7.0

N/A