Password Reset Link Vulnerability in Pivotal Cloud Foundry Runtime Products
CVE-2015-3189

3.7LOW

Key Information:

Vendor

Pivotal

Vendor
CVE Published:
25 May 2017

What is CVE-2015-3189?

In specific versions of the Pivotal Cloud Foundry Runtime and UAA Standalone, a vulnerability exists where old password reset links are not invalidated when a user updates their email address. This poses a risk as users may inadvertently retain access to outdated links that could be exploited by unauthorized entities. This issue arises exclusively when leveraging the UAA internal user store for authentication, while configurations employing SAML or LDAP remain unaffected.

Affected Version(s)

Cloud Foundry Runtime cf-release versions v208 or earlier

Cloud Foundry UAA Standalone versions 2.2.5 or earlier

Cloud Foundry Runtime 1.4.5 or earlier

References

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.