CVE-2017-4963 - OpenCVE

An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 & v3.0.0 - v3.11.0, and UAA bosh release v26 & earlier versions. UAA is vulnerable to session fixation when configured to authenticate against external SAML or OpenID Connect based identity providers.

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Pivotal Software	Cloud Foundry Uaa-release Cloud Foundry Cf-release Cloud Foundry Uaa

Configuration 1 [-]

OR	cpe:2.3:a:pivotal_software:cloud_foundry_cf-release::::::::
	cpe:2.3:a:pivotal_software:cloud_foundry_uaa::::::::
	cpe:2.3:a:pivotal_software:cloud_foundry_uaa::::::::
	cpe:2.3:a:pivotal_software:cloud_foundry_uaa-release::::::bosh::*

References

Link	Resource
https://www.cloudfoundry.org/cve-2017-4963/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: dell

Published: 2017-06-13T06:00:00

Updated: 2017-06-13T05:57:01

Reserved: 2016-12-29T00:00:00

Link: CVE-2017-4963

JSON object: View

NVD Information

Status : Analyzed

Published: 2017-06-13T06:29:00.427

Modified: 2019-07-30T17:13:01.227

Link: CVE-2017-4963

JSON object: View

Redhat Information

No data.

CWE

CWE-384

{"containers": {"cna": {"affected": [{"product": "Cloud Foundry Foundation", "vendor": "n/a", "versions": [{"status": "affected", "version": "Cloud Foundry Foundation"}]}], "datePublic": "2017-06-12T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 & v3.0.0 - v3.11.0, and UAA bosh release v26 & earlier versions. UAA is vulnerable to session fixation when configured to authenticate against external SAML or OpenID Connect based identity providers."}], "problemTypes": [{"descriptions": [{"description": "Session Fixation for UAA External Authentication", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-06-13T05:57:01", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.cloudfoundry.org/cve-2017-4963/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security_alert@emc.com", "ID": "CVE-2017-4963", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Cloud Foundry Foundation", "version": {"version_data": [{"version_value": "Cloud Foundry Foundation"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 & v3.0.0 - v3.11.0, and UAA bosh release v26 & earlier versions. UAA is vulnerable to session fixation when configured to authenticate against external SAML or OpenID Connect based identity providers."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Session Fixation for UAA External Authentication"}]}]}, "references": {"reference_data": [{"name": "https://www.cloudfoundry.org/cve-2017-4963/", "refsource": "CONFIRM", "url": "https://www.cloudfoundry.org/cve-2017-4963/"}]}}}}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2017-4963", "datePublished": "2017-06-13T06:00:00", "dateReserved": "2016-12-29T00:00:00", "dateUpdated": "2017-06-13T05:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_cf-release:*:*:*:*:*:*:*:*", "matchCriteriaId": "DAA309B2-E073-48D8-9A63-B7DF3C2EAD7C", "versionEndIncluding": "252", "vulnerable": true}, {"criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_uaa:*:*:*:*:*:*:*:*", "matchCriteriaId": "1587255F-1BA1-48DE-9515-44182FECB492", "versionEndIncluding": "2.7.4.12", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_uaa:*:*:*:*:*:*:*:*", "matchCriteriaId": "358F315A-CDD2-4C93-B7AC-B0E171BC2641", "versionEndIncluding": "3.11.0", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_uaa-release:*:*:*:*:*:bosh:*:*", "matchCriteriaId": "8E77D161-B804-476D-B107-C57216D3D3FB", "versionEndIncluding": "26", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 & v3.0.0 - v3.11.0, and UAA bosh release v26 & earlier versions. UAA is vulnerable to session fixation when configured to authenticate against external SAML or OpenID Connect based identity providers."}, {"lang": "es", "value": "Se ha descubierto un problema en Cloud Foundry Foundation Cloud Foundry release v252 y versiones anteriores, UAA stand-alone release v2.0.0 - v2.7.4.12 y v3.0.0 - v3.11.0, y UAA bosh release v26 y versiones anteriores. UAA es vulnerable a una fijaci\u00f3n de sesi\u00f3n cuando est\u00e1 configurado para autenticarse contra proveedores de identidades externos basados en SAML u OpenID Connect."}], "id": "CVE-2017-4963", "lastModified": "2019-07-30T17:13:01.227", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-06-13T06:29:00.427", "references": [{"source": "security_alert@emc.com", "tags": ["Vendor Advisory"], "url": "https://www.cloudfoundry.org/cve-2017-4963/"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-384"}], "source": "nvd@nist.gov", "type": "Primary"}]}