CVE-2015-3189 - OpenCVE

With Cloud Foundry Runtime cf-release versions v208 or earlier, UAA Standalone versions 2.2.5 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier, old Password Reset Links are not expired after the user changes their current email address to a new one. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected.

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Pivotal Software	Cloud Foundry Elastic Runtime Cloud Foundry Uaa
Cloudfoundry	Cf-release

Configuration 1 [-]

OR	cpe:2.3:a:cloudfoundry:cf-release::::::::
	cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime::::::::
	cpe:2.3:a:pivotal_software:cloud_foundry_uaa::::::::

References

Link	Resource
https://pivotal.io/security/cve-2015-3189	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: dell

Published: 2017-05-25T17:00:00

Updated: 2017-05-25T16:57:01

Reserved: 2015-04-10T00:00:00

Link: CVE-2015-3189

JSON object: View

NVD Information

Status : Analyzed

Published: 2017-05-25T17:29:00.333

Modified: 2021-08-25T20:30:48.703

Link: CVE-2015-3189

JSON object: View

Redhat Information

No data.

CWE

CWE-640

{"containers": {"cna": {"affected": [{"product": "Cloud Foundry", "vendor": "Pivotal", "versions": [{"status": "affected", "version": "Runtime cf-release versions v208 or earlier"}, {"status": "affected", "version": "UAA Standalone versions 2.2.5 or earlier"}, {"status": "affected", "version": "Runtime 1.4.5 or earlier"}]}], "datePublic": "2015-06-25T00:00:00", "descriptions": [{"lang": "en", "value": "With Cloud Foundry Runtime cf-release versions v208 or earlier, UAA Standalone versions 2.2.5 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier, old Password Reset Links are not expired after the user changes their current email address to a new one. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected."}], "problemTypes": [{"descriptions": [{"description": "Password reset weakness", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-05-25T16:57:01", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://pivotal.io/security/cve-2015-3189"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security_alert@emc.com", "ID": "CVE-2015-3189", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Cloud Foundry", "version": {"version_data": [{"version_value": "Runtime cf-release versions v208 or earlier"}, {"version_value": "UAA Standalone versions 2.2.5 or earlier"}, {"version_value": "Runtime 1.4.5 or earlier"}]}}]}, "vendor_name": "Pivotal"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "With Cloud Foundry Runtime cf-release versions v208 or earlier, UAA Standalone versions 2.2.5 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier, old Password Reset Links are not expired after the user changes their current email address to a new one. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Password reset weakness"}]}]}, "references": {"reference_data": [{"name": "https://pivotal.io/security/cve-2015-3189", "refsource": "CONFIRM", "url": "https://pivotal.io/security/cve-2015-3189"}]}}}}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2015-3189", "datePublished": "2017-05-25T17:00:00", "dateReserved": "2015-04-10T00:00:00", "dateUpdated": "2017-05-25T16:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cloudfoundry:cf-release:*:*:*:*:*:*:*:*", "matchCriteriaId": "F11FD354-9940-4745-BF27-19108E2E567E", "versionEndIncluding": "208", "vulnerable": true}, {"criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:*:*:*:*:*:*:*:*", "matchCriteriaId": "AB6812A0-8836-4F25-9AC1-DB552BC605ED", "versionEndIncluding": "1.4.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_uaa:*:*:*:*:*:*:*:*", "matchCriteriaId": "4F876A8B-AA8F-4DAD-B840-6CDF1076AF9D", "versionEndIncluding": "2.2.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "With Cloud Foundry Runtime cf-release versions v208 or earlier, UAA Standalone versions 2.2.5 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier, old Password Reset Links are not expired after the user changes their current email address to a new one. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected."}, {"lang": "es", "value": "En Cloud Foundry Runtime versiones v208 y anteriores, UAA Standalone versiones 2.2.5 o anteriores y Pivotal Cloud Foundry Runtime, versiones 1.4.5 o anteriores, los enlaces a contrase\u00f1as antiguas reseteadas no expiran despu\u00e9s de que un usuario cambie su direcci\u00f3n de correo electr\u00f3nico actual a una nueva. Esta vulnerabilidad aplica solo cuando se almacena el UAA del usuario interno para la autenticaci\u00f3n. Despliegues habilitados para la integraci\u00f3n a trav\u00e9s de SAML o LDAP no estar\u00edan afectados."}], "id": "CVE-2015-3189", "lastModified": "2021-08-25T20:30:48.703", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-05-25T17:29:00.333", "references": [{"source": "security_alert@emc.com", "tags": ["Vendor Advisory"], "url": "https://pivotal.io/security/cve-2015-3189"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-640"}], "source": "nvd@nist.gov", "type": "Primary"}]}