CSRF Vulnerability in UAA Standalone and Cloud Foundry Runtime Products
CVE-2015-3191

8.8HIGH

Key Information:

Vendor

Pivotal

Vendor
CVE Published:
25 May 2017

What is CVE-2015-3191?

The change_email form in UAA for Cloud Foundry Runtime and UAA Standalone products is susceptible to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this vulnerability by prompting a logged-in user to change their email through a malicious link hosted on an attacker-controlled site. This threat specifically affects configurations employing the UAA internal user store for authentication, while those utilizing integration with SAML or LDAP remains secure.

Affected Version(s)

Cloud Foundry Runtime cf-release versions v209 or earlier

Cloud Foundry UAA Standalone versions 2.2.6 or earlier

Cloud Foundry Runtime 1.4.5 or earlier

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.