Description

An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v260; UAA release 2.x versions prior to v2.7.4.16, 3.6.x versions prior to v3.6.10, 3.9.x versions prior to v3.9.12, and other versions prior to v3.17.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.14, 24.x versions prior to v24.9, 30.x versions prior to 30.2, and other versions prior to v36. Privileged users in one zone are allowed to perform a password reset for users in a different zone.

Remediation

References

https://www.cloudfoundry.org/cve-2017-4991/

Related Vulnerabilities

CVE-2023-29209 Vulnerability in maven package org.xwiki.platform:xwiki-platform-legacy-notification-activitymacro

CVE-2023-34053 Vulnerability in maven package org.springframework:spring-web

CVE-2023-50730 Vulnerability in maven package edu.gemini:gsp-graphql-core_3

CVE-2020-2240 Vulnerability in maven package org.jenkins-ci.plugins:database

CVE-2017-3164 Vulnerability in maven package org.apache.solr:solr-core

Severity

High

Classification

CWE-269 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory