CVE-2017-4963

An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 & v3.0.0 - v3.11.0, and UAA bosh release v26 & earlier versions. UAA is vulnerable to session fixation when configured to authenticate against external SAML or OpenID Connect based identity providers.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
dellCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 58%
VendorProductVersion
pivotal_softwarecloud_foundry_cf-release
𝑥
≤ 252
pivotal_softwarecloud_foundry_uaa
2.0.0 ≤
𝑥
≤ 2.7.4.12
pivotal_softwarecloud_foundry_uaa
3.0.0 ≤
𝑥
≤ 3.11.0
pivotal_softwarecloud_foundry_uaa-release
𝑥
≤ 26
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.cloudfoundry.org/cve-2017-4963/
https://www.cloudfoundry.org/cve-2017-4963/