Vulnerability Description
The UAA reset password flow in Cloud Foundry release v236 and earlier versions, UAA release v3.3.0 and earlier versions, all versions of Login-server, UAA release v10 and earlier versions and Pivotal Elastic Runtime versions prior to 1.7.2 is vulnerable to a brute force attack due to multiple active codes at a given time. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cloudfoundry | Cloud Foundry Uaa Bosh | <= 10 |
| Pivotal Software | Cloud Foundry | <= 236 |
| Pivotal Software | Cloud Foundry Elastic Runtime | <= 1.7.1 |
| Pivotal Software | Cloud Foundry Uaa | <= 3.3.0 |
| Pivotal Software | Login-Server | - |
Related Weaknesses (CWE)
References
- https://pivotal.io/security/cve-2016-3084Vendor Advisory
- https://pivotal.io/security/cve-2016-3084Vendor Advisory
FAQ
What is CVE-2016-3084?
CVE-2016-3084 is a vulnerability with a CVSS score of 8.1 (HIGH). The UAA reset password flow in Cloud Foundry release v236 and earlier versions, UAA release v3.3.0 and earlier versions, all versions of Login-server, UAA release v10 and earlier versions and Pivotal ...
How severe is CVE-2016-3084?
CVE-2016-3084 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-3084?
Check the references section above for vendor advisories and patch information. Affected products include: Cloudfoundry Cloud Foundry Uaa Bosh, Pivotal Software Cloud Foundry, Pivotal Software Cloud Foundry Elastic Runtime, Pivotal Software Cloud Foundry Uaa, Pivotal Software Login-Server.