CVE-2017-4963

EUVD-2017-14079
An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 & v3.0.0 - v3.11.0, and UAA bosh release v26 & earlier versions. UAA is vulnerable to session fixation when configured to authenticate against external SAML or OpenID Connect based identity providers.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 59%
Affected Products (NVD)
VendorProductVersion
pivotal_softwarecloud_foundry_cf-release
𝑥
≤ 252
pivotal_softwarecloud_foundry_uaa
2.0.0 ≤
𝑥
≤ 2.7.4.12
pivotal_softwarecloud_foundry_uaa
3.0.0 ≤
𝑥
≤ 3.11.0
pivotal_softwarecloud_foundry_uaa-release
𝑥
≤ 26
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.cloudfoundry.org/cve-2017-4963/
https://www.cloudfoundry.org/cve-2017-4963/