Filtered by vendor Pivotal Software
Subscribe
Total
144 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-3773 | 2 Oracle, Pivotal Software | 3 Financial Services Analytical Applications Infrastructure, Flexcube Private Banking, Spring Web Services | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources. | |||||
| CVE-2019-11292 | 1 Pivotal Software | 1 Operations Manager | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Pivotal Ops Manager, versions 2.4.x prior to 2.4.27, 2.5.x prior to 2.5.24, 2.6.x prior to 2.6.16, and 2.7.x prior to 2.7.5, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well. | |||||
| CVE-2019-11287 | 5 Debian, Fedoraproject, Pivotal Software and 2 more | 5 Debian Linux, Fedora, Rabbitmq and 2 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing. | |||||
| CVE-2019-11283 | 2 Cloudfoundry, Pivotal Software | 2 Cf-deployment, Cloud Foundry Smb Volume | 2024-11-21 | 4.0 MEDIUM | 8.8 HIGH |
| Cloud Foundry SMB Volume, versions prior to v2.0.3, accidentally outputs sensitive information to the logs. A remote user with access to the SMB Volume logs can discover the username and password for volumes that have been recently created, allowing the user to take control of the SMB Volume. | |||||
| CVE-2019-11282 | 2 Cloudfoundry, Pivotal Software | 2 Cf-deployment, Cloud Foundry Uaa | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Cloud Foundry UAA, versions prior to v74.3.0, contains an endpoint that is vulnerable to SCIM injection attack. A remote authenticated malicious user with scim.invite scope can craft a request with malicious content which can leak information about users of the UAA. | |||||
| CVE-2019-11281 | 4 Debian, Fedoraproject, Pivotal Software and 1 more | 5 Debian Linux, Fedora, Rabbitmq and 2 more | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information. | |||||
| CVE-2019-11280 | 1 Pivotal Software | 1 Pivotal Application Service | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.18, 2.4.x prior to 2.4.14, 2.5.x prior to 2.5.10, and 2.6.x prior to 2.6.5, contains an invitations microservice which allows users to invite others to their organizations. A remote authenticated user can gain additional privileges by inviting themselves to spaces that they should not have access to. | |||||
| CVE-2019-11276 | 1 Pivotal Software | 1 Application Service | 2024-11-21 | 4.8 MEDIUM | 5.4 MEDIUM |
| Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.16, 2.4.x prior to 2.4.12, 2.5.x prior to 2.5.8, and 2.6.x prior to 2.6.3, makes a request to the /cloudapplication endpoint via Spring actuator, and subsequent requests via unsecured http. An adjacent unauthenticated user could eavesdrop on the network traffic and gain access to the unencrypted token allowing the attacker to read the type of access a user has over an app. They may also modify the logging level, potentially leading to lost information that would otherwise have been logged. | |||||
| CVE-2019-11275 | 2 Pivotal, Pivotal Software | 2 Apps Manager, Pivotal Application Service | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Pivotal Application Manager, versions 666.0.x prior to 666.0.36, versions 667.0.x prior to 667.0.22, versions 668.0.x prior to 668.0.21, versions 669.0.x prior to 669.0.13, and versions 670.0.x prior to 670.0.7, contain a vulnerability where a remote authenticated user can create an app with a name such that a csv program can interpret into a formula and gets executed. The malicious user can possibly gain access to a usage report that requires a higher privilege. | |||||
| CVE-2019-11273 | 1 Pivotal Software | 1 Pivotal Container Service | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Pivotal Container Services (PKS) versions 1.3.x prior to 1.3.7, and versions 1.4.x prior to 1.4.1, contains a vulnerable component which logs the username and password to the billing database. A remote authenticated user with access to those logs may be able to retrieve non-sensitive information. | |||||
| CVE-2019-11270 | 1 Pivotal Software | 3 Application Service, Cloud Foundry Uaa, Operations Manager | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' and create clients with arbitrary scopes that the creator does not possess. | |||||
| CVE-2019-11269 | 2 Oracle, Pivotal Software | 2 Banking Corporate Lending, Spring Security Oauth | 2024-11-21 | 5.8 MEDIUM | 5.4 MEDIUM |
| Spring Security OAuth versions 2.3 prior to 2.3.6, 2.2 prior to 2.2.5, 2.1 prior to 2.1.5, and 2.0 prior to 2.0.18, as well as older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the redirect_uri parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. | |||||
| CVE-2019-11268 | 1 Pivotal Software | 1 Cloud Foundry Uaa-release | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Cloud Foundry UAA version prior to 73.3.0, contain endpoints that contains improper escaping. An authenticated malicious user with basic read privileges for one identity zone can extend those reading privileges to all other identity zones and obtain private information on users, clients, and groups in all other identity zones. | |||||
| CVE-2018-1280 | 1 Pivotal Software | 1 Greenplum Command Center | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Pivotal Greenplum Command Center versions 2.x prior to 2.5.1 contains a blind SQL injection vulnerability. An unauthenticated user can perform a SQL injection in the command center which results in disclosure of database contents. | |||||
| CVE-2018-1279 | 1 Pivotal Software | 1 Rabbitmq | 2024-11-21 | 3.3 LOW | 8.5 HIGH |
| Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster. | |||||
| CVE-2018-1278 | 1 Pivotal Software | 1 Pivotal Application Service | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Apps Manager included in Pivotal Application Service, versions 1.12.x prior to 1.12.22, 2.0.x prior to 2.0.13, and 2.1.x prior to 2.1.4 contains an authorization enforcement vulnerability. A member of any org is able to create invitations to any org for which the org GUID can be discovered. Accepting this invitation gives unauthorized access to view the member list, domains, quotas and other information about the org. | |||||
| CVE-2018-1276 | 1 Pivotal Software | 1 Windows Stemcells | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Windows 2012R2 stemcells, versions prior to 1200.17, contain an information exposure vulnerability on vSphere. A remote user with the ability to push apps can execute crafted commands to read the IaaS metadata from the VM, which may contain BOSH credentials. | |||||
| CVE-2018-1274 | 1 Pivotal Software | 2 Spring Data Commons, Spring Data Rest | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption). | |||||
| CVE-2018-1273 | 3 Apache, Oracle, Pivotal Software | 4 Ignite, Financial Services Crime And Compliance Management Studio, Spring Data Commons and 1 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack. | |||||
| CVE-2018-1265 | 2 Cloudfoundry, Pivotal Software | 2 Cf-deployment, Cloud Foundry Diego | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| Cloud Foundry Diego, release versions prior to 2.8.0, does not properly sanitize file paths in tar and zip files headers. A remote attacker with CF admin privileges can upload a malicious buildpack that will allow a complete takeover of a Diego Cell VM and access to all apps running on that Diego Cell. | |||||