Base Score

HIGH8.8

CVE-2017-4973

An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v257; UAA release 2.x versions prior to v2.7.4.14, 3.6.x versions prior to v3.6.8, 3.9.x versions prior to v3.9.10, and other versions prior to v3.15.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.12, 24.x versions prior to v24.7, and other versions prior to v30. A vulnerability has been identified with the groups endpoint in UAA allowing users to elevate their privileges.

VectorNETWORK

Published Bysecurity_alert@emc.com

Published DateJun 13, 2017, 06:29

Affected Versions(4)

org.cloudfoundry.identity:cloudfoundry-identity-server(Maven)

Introduced2.0.0

Fixed2.7.4.14

LimitN/A

org.cloudfoundry.identity:cloudfoundry-identity-server(Maven)

Introduced3.0.0

Fixed3.6.8

LimitN/A

org.cloudfoundry.identity:cloudfoundry-identity-server(Maven)

Introduced3.7.0

Fixed3.9.10

LimitN/A

org.cloudfoundry.identity:cloudfoundry-identity-server(Maven)

Introduced3.10.0

Fixed3.15.0

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.cloudfoundry.identity:cloudfoundry-identity-server(Maven)	2.0.0	2.7.4.14	N/A
org.cloudfoundry.identity:cloudfoundry-identity-server(Maven)	3.0.0	3.6.8	N/A
org.cloudfoundry.identity:cloudfoundry-identity-server(Maven)	3.7.0	3.9.10	N/A
org.cloudfoundry.identity:cloudfoundry-identity-server(Maven)	3.10.0	3.15.0	N/A

Weakness Type (CWE):CWE-269

CVSS Metrics

Base Score

8.8

Vector String

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Severity

HIGH

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH

References

https://www.cloudfoundry.org/cve-2017-4973/

Base Score

HIGH8.8

Weakness Type (CWE):CWE-269

CVSS Metrics

Base Score

8.8

Vector String

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Severity

HIGH

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH

CVE-2017-4973

VectorNETWORK

Published Bysecurity_alert@emc.com

Published DateJun 13, 2017, 06:29

Package (Ecosystem)

Introduced

Fixed

Limit

org.cloudfoundry.identity:cloudfoundry-identity-server(Maven)

2.0.0

2.7.4.14

N/A

org.cloudfoundry.identity:cloudfoundry-identity-server(Maven)

3.0.0

3.6.8

N/A

org.cloudfoundry.identity:cloudfoundry-identity-server(Maven)

3.7.0

3.9.10

N/A

org.cloudfoundry.identity:cloudfoundry-identity-server(Maven)

3.10.0

3.15.0

N/A