Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2015-3189

With Cloud Foundry Runtime cf-release versions v208 or earlier, UAA Standalone versions 2.2.5 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier, old Password Reset Links are not expired after the user changes their current email address to a new one. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected.

Published

2017-05-25T17:29:00.333

Last Modified

2025-04-20T01:37:25.860

Status

Deferred

Source

[email protected]

Severity

CVSSv3.1: 3.7 (LOW)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Primary
CWE-640

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	cloudfoundry	cf-release	≤ 208	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	≤ 1.4.5	Yes
Application	pivotal_software	cloud_foundry_uaa	≤ 2.2.5	Yes

References

https://pivotal.io/security/cve-2015-3189 Vendor Advisory ([email protected])
https://pivotal.io/security/cve-2015-3189 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)