The UAA reset password flow in Cloud Foundry release v236 and previous versions versions, UAA release v3.3.0 and previous versions versions, all versions of Login-server, UAA release v10 and previous versions versions and Pivotal Elastic Runtime versions before 1.7.2 is vulnerable to a brute force attack due to multiple active codes at a given time. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
pivotal software login-server - |
||
cloudfoundry cloud foundry uaa bosh |
||
pivotal software cloud foundry elastic runtime |
||
pivotal software cloud foundry uaa |
||
pivotal software cloud foundry |