The UAA reset password flow in Cloud Foundry release v236 and earlier versions, UAA release v3.3.0 and earlier versions, all versions of Login-server, UAA release v10 and earlier versions and Pivotal Elastic Runtime versions prior to 1.7.2 is vulnerable to a brute force attack due to multiple active codes at a given time. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected.
References
Link | Resource |
---|---|
https://pivotal.io/security/cve-2016-3084 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
No history.
Information
Published : 2017-05-25 17:29
Updated : 2024-02-28 16:04
NVD link : CVE-2016-3084
Mitre link : CVE-2016-3084
CVE.ORG link : CVE-2016-3084
JSON object : View
Products Affected
pivotal_software
- cloud_foundry_elastic_runtime
- cloud_foundry
- login-server
- cloud_foundry_uaa
cloudfoundry
- cloud_foundry_uaa_bosh
CWE
CWE-264
Permissions, Privileges, and Access Controls