CVE-2017-4963 - OpenCVE

An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 & v3.0.0 - v3.11.0, and UAA bosh release v26 & earlier versions. UAA is vulnerable to session fixation when configured to authenticate against external SAML or OpenID Connect based identity providers.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Pivotal Software	Cloud Foundry Cf-release Cloud Foundry Uaa Cloud Foundry Uaa-release

Configuration 1 [-]

OR	cpe:2.3:a:pivotal_software:cloud_foundry_cf-release::::::::
	cpe:2.3:a:pivotal_software:cloud_foundry_uaa::::::::
	cpe:2.3:a:pivotal_software:cloud_foundry_uaa::::::::
	cpe:2.3:a:pivotal_software:cloud_foundry_uaa-release::::::bosh::*

No data.

References

Link	Providers
https://www.cloudfoundry.org/cve-2017-4963/

History

No history.

MITRE

Status: PUBLISHED

Assigner: dell

Published: 2017-06-13T06:00:00

Updated: 2024-08-05T14:47:43.348Z

Reserved: 2016-12-29T00:00:00

Link: CVE-2017-4963

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2017-06-13T06:29:00.427

Modified: 2019-07-30T17:13:01.227

Link: CVE-2017-4963

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Cloud Foundry Foundation", "vendor": "n/a", "versions": [{"status": "affected", "version": "Cloud Foundry Foundation"}]}], "datePublic": "2017-06-12T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 & v3.0.0 - v3.11.0, and UAA bosh release v26 & earlier versions. UAA is vulnerable to session fixation when configured to authenticate against external SAML or OpenID Connect based identity providers."}], "problemTypes": [{"descriptions": [{"description": "Session Fixation for UAA External Authentication", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-06-13T05:57:01", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.cloudfoundry.org/cve-2017-4963/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security_alert@emc.com", "ID": "CVE-2017-4963", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Cloud Foundry Foundation", "version": {"version_data": [{"version_value": "Cloud Foundry Foundation"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 & v3.0.0 - v3.11.0, and UAA bosh release v26 & earlier versions. UAA is vulnerable to session fixation when configured to authenticate against external SAML or OpenID Connect based identity providers."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Session Fixation for UAA External Authentication"}]}]}, "references": {"reference_data": [{"name": "https://www.cloudfoundry.org/cve-2017-4963/", "refsource": "CONFIRM", "url": "https://www.cloudfoundry.org/cve-2017-4963/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T14:47:43.348Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.cloudfoundry.org/cve-2017-4963/"}]}]}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2017-4963", "datePublished": "2017-06-13T06:00:00", "dateReserved": "2016-12-29T00:00:00", "dateUpdated": "2024-08-05T14:47:43.348Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_cf-release:*:*:*:*:*:*:*:*", "matchCriteriaId": "DAA309B2-E073-48D8-9A63-B7DF3C2EAD7C", "versionEndIncluding": "252", "vulnerable": true}, {"criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_uaa:*:*:*:*:*:*:*:*", "matchCriteriaId": "1587255F-1BA1-48DE-9515-44182FECB492", "versionEndIncluding": "2.7.4.12", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_uaa:*:*:*:*:*:*:*:*", "matchCriteriaId": "358F315A-CDD2-4C93-B7AC-B0E171BC2641", "versionEndIncluding": "3.11.0", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_uaa-release:*:*:*:*:*:bosh:*:*", "matchCriteriaId": "8E77D161-B804-476D-B107-C57216D3D3FB", "versionEndIncluding": "26", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 & v3.0.0 - v3.11.0, and UAA bosh release v26 & earlier versions. UAA is vulnerable to session fixation when configured to authenticate against external SAML or OpenID Connect based identity providers."}, {"lang": "es", "value": "Se ha descubierto un problema en Cloud Foundry Foundation Cloud Foundry release v252 y versiones anteriores, UAA stand-alone release v2.0.0 - v2.7.4.12 y v3.0.0 - v3.11.0, y UAA bosh release v26 y versiones anteriores. UAA es vulnerable a una fijaci\u00f3n de sesi\u00f3n cuando est\u00e1 configurado para autenticarse contra proveedores de identidades externos basados en SAML u OpenID Connect."}], "id": "CVE-2017-4963", "lastModified": "2019-07-30T17:13:01.227", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-06-13T06:29:00.427", "references": [{"source": "security_alert@emc.com", "tags": ["Vendor Advisory"], "url": "https://www.cloudfoundry.org/cve-2017-4963/"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-384"}], "source": "nvd@nist.gov", "type": "Primary"}]}