CVE-2017-4963

moderate-risk
Published 2017-06-13

An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 & v3.0.0 - v3.11.0, and UAA bosh release v26 & earlier versions. UAA is vulnerable to session fixation when configured to authenticate against external SAML or OpenID Connect based identity providers.

Do I need to act?

-
0.39% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.1/10 High
NETWORK / HIGH complexity

Affected Products (3)

Cloud Foundry Uaa-Release
Cloud Foundry Cf-Release

Affected Vendors

Pivotal Software

References (2)

Vendor Advisory https://www.cloudfoundry.org/cve-2017-4963/
Vendor Advisory https://www.cloudfoundry.org/cve-2017-4963/
34
/ 100
moderate-risk
Severity 24/34 · High
Exploitability 1/34 · Minimal
Exposure 9/34 · Low