Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2016-6651

The UAA /oauth/token endpoint in Pivotal Cloud Foundry (PCF) before 243; UAA 2.x before 2.7.4.8, 3.x before 3.3.0.6, and 3.4.x before 3.4.5; UAA BOSH before 11.7 and 12.x before 12.6; Elastic Runtime before 1.6.40, 1.7.x before 1.7.21, and 1.8.x before 1.8.2; and Ops Manager 1.7.x before 1.7.13 and 1.8.x before 1.8.1 allows remote authenticated users to gain privileges by leveraging possession of a token.

Published

2016-09-30T00:59:04.337

Last Modified

2025-04-12T10:46:40.837

Status

Deferred

Source

[email protected]

Severity

CVSSv3.0: 8.8 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.0

Impact Score

6.4

Weaknesses

Type: Primary
CWE-264

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	cloudfoundry	cloud_foundry_uaa_bosh	≤ 16.0	Yes
Application	pivotal_software	cloud_foundry	≤ 242.0	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.0	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.1	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.2	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.3	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.4	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.5	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.6	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.7	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.8	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.9	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.10	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.11	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.12	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.13	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.14	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.15	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.17	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.18	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.19	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.20	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.21	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.22	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.23	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.25	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.26	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.27	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.28	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.29	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.30	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.31	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.32	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.33	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.34	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.35	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.36	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.37	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.38	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.6.39	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.7.0	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.7.1	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.7.2	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.7.3	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.7.4	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.7.5	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.7.6	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.7.7	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.7.8	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.7.9	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.7.10	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.7.11	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.7.12	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.7.13	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.7.14	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.7.15	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.7.16	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.7.17	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.7.18	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.7.19	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.7.20	Yes
Application	pivotal_software	cloud_foundry_elastic_runtime	1.8.0	Yes
Application	pivotal_software	cloud_foundry_ops_manager	1.7.0	Yes
Application	pivotal_software	cloud_foundry_ops_manager	1.7.1	Yes
Application	pivotal_software	cloud_foundry_ops_manager	1.7.2	Yes
Application	pivotal_software	cloud_foundry_ops_manager	1.7.3	Yes
Application	pivotal_software	cloud_foundry_ops_manager	1.7.4	Yes
Application	pivotal_software	cloud_foundry_ops_manager	1.7.5	Yes
Application	pivotal_software	cloud_foundry_ops_manager	1.7.6	Yes
Application	pivotal_software	cloud_foundry_ops_manager	1.7.7	Yes
Application	pivotal_software	cloud_foundry_ops_manager	1.7.8	Yes
Application	pivotal_software	cloud_foundry_ops_manager	1.7.9	Yes
Application	pivotal_software	cloud_foundry_ops_manager	1.7.10	Yes
Application	pivotal_software	cloud_foundry_ops_manager	1.7.11	Yes
Application	pivotal_software	cloud_foundry_ops_manager	1.7.12	Yes
Application	pivotal_software	cloud_foundry_ops_manager	1.8.0	Yes
Application	pivotal_software	cloud_foundry_uaa	≤ 3.7.0	Yes

References

http://www.securityfocus.com/bid/93241 ([email protected])
https://pivotal.io/security/cve-2016-6651 Mitigation, Vendor Advisory ([email protected])
http://www.securityfocus.com/bid/93241 (af854a3a-2127-422b-91ae-364da2661108)
https://pivotal.io/security/cve-2016-6651 Mitigation, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)