CVE-2016-3084 in Pivotal Software and Cloudfoundry Products
Published on May 25, 2017
The UAA reset password flow in Cloud Foundry release v236 and earlier versions, UAA release v3.3.0 and earlier versions, all versions of Login-server, UAA release v10 and earlier versions and Pivotal Elastic Runtime versions prior to 1.7.2 is vulnerable to a brute force attack due to multiple active codes at a given time. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected.
Products Associated with CVE-2016-3084
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2016-3084 are published in these products:
Affected Versions
Pivotal Cloud Foundry:- Version release v236 and earlier versions is affected.
- Version UAA release v3.3.0 and earlier versions is affected.
- Version All versions of Login-server is affected.
- Version UAA release v10 and earlier versions is affected.
- Version Elastic Runtime versions prior to 1.7.2 is affected.
Exploit Probability
EPSS
0.34%
Percentile
56.24%
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.