Vulnerabilities (CVE)

Vendor filter

Pivotal Software Subscribe

Filter

150 total CVE
CVE Vendors Products Updated CVSS
CVE-2019-3787 1 Pivotal Software 1 Cloud Foundry Uaa-release 2019-10-10 4.3
Cloud Foundry UAA, versions prior to 73.0.0, falls back to appending ?unknown.org? to a user's email address when one is not provided and the user name does not contain an @ character. This domain is held by a private company, which leads to...
CVE-2019-3803 1 Pivotal Software 1 Concourse 2019-10-09 5.0
Pivotal Concourse, all versions prior to 4.2.2, puts the user access token in a url during the login flow. A remote attacker who gains access to a user's browser history could obtain the access token and use it to authenticate as the user.
CVE-2019-3802 1 Pivotal Software 1 Spring Data Java Persistance Api 2019-10-09 5.0
This affects Spring Data JPA in versions up to and including 2.1.6, 2.0.14 and 1.11.20. ExampleMatcher using ExampleMatcher.StringMatcher.STARTING, ExampleMatcher.StringMatcher.ENDING or ExampleMatcher.StringMatcher.CONTAINING could return more...
CVE-2019-3794 1 Pivotal Software 1 Cloud Foundry Uaa 2019-10-09 4.3
Cloud Foundry UAA, versions prior to v73.4.0, does not set an X-FRAME-OPTIONS header on various endpoints. A remote user can perform clickjacking attacks on UAA's frontend sites.
CVE-2019-3790 1 Pivotal Software 1 Operations Manager 2019-10-09 5.5
The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated...
CVE-2019-3777 1 Pivotal Software 1 Application Service 2019-10-09 5.0
Pivotal Application Service (PAS), versions 2.2.x prior to 2.2.12, 2.3.x prior to 2.3.7 and 2.4.x prior to 2.4.3, contain apps manager that uses a cloud controller proxy that fails to verify SSL certs. A remote unauthenticated attacker that could...
CVE-2019-3776 1 Pivotal Software 1 Operations Manager 2019-10-09 3.5
Pivotal Operations Manager, 2.1.x versions prior to 2.1.20, 2.2.x versions prior to 2.2.16, 2.3.x versions prior to 2.3.10, 2.4.x versions prior to 2.4.3, contains a reflected cross site scripting vulnerability. A remote user that is able to...
CVE-2019-3774 1 Pivotal Software 1 Spring Batch 2019-10-09 7.5
Spring Batch versions 3.0.9, 4.0.1, 4.1.0, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
CVE-2019-3773 1 Pivotal Software 1 Spring Web Services 2019-10-09 7.5
Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
CVE-2019-3772 2 Pivotal Software, Oracle 2 Spring Integration, Retail Customer Management And Segmentation Foundation 2019-10-09 7.5
Spring Integration (spring-integration-xml and spring-integration-ws modules), versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
CVE-2019-11280 1 Pivotal Software 1 Pivotal Application Service 2019-10-09 6.5
Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.18, 2.4.x prior to 2.4.14, 2.5.x prior to 2.5.10, and 2.6.x prior to 2.6.5, contains an invitations microservice which allows users to invite others to...
CVE-2019-11276 1 Pivotal Software 1 Application Service 2019-10-09 4.1
Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.16, 2.4.x prior to 2.4.12, 2.5.x prior to 2.5.8, and 2.6.x prior to 2.6.3, makes a request to the /cloudapplication endpoint via Spring actuator, and...
CVE-2019-11275 1 Pivotal Software 1 Pivotal Application Service 2019-10-09 4.0
Pivotal Application Manager, versions 666.0.x prior to 666.0.36, versions 667.0.x prior to 667.0.22, versions 668.0.x prior to 668.0.21, versions 669.0.x prior to 669.0.13, and versions 670.0.x prior to 670.0.7, contain a vulnerability where a...
CVE-2019-11273 1 Pivotal Software 1 Pivotal Container Service 2019-10-09 4.0
Pivotal Container Services (PKS) versions 1.3.x prior to 1.3.7, and versions 1.4.x prior to 1.4.1, contains a vulnerable component which logs the username and password to the billing database. A remote authenticated user with access to those logs...
CVE-2019-11268 1 Pivotal Software 1 Cloud Foundry Uaa-release 2019-10-09 4.0
Cloud Foundry UAA version prior to 73.3.0, contain endpoints that contains improper escaping. An authenticated malicious user with basic read privileges for one identity zone can extend those reading privileges to all other identity zones and...
CVE-2018-1279 1 Pivotal Software 1 Rabbitmq 2019-10-09 3.3
Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this...
CVE-2018-1273 2 Pivotal Software, Apache 3 Spring Data Commons, Spring Data Rest, Ignite 2019-10-09 7.5
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or...
CVE-2018-1230 1 Pivotal Software 1 Spring Batch Admin 2019-10-09 6.8
Pivotal Spring Batch Admin, all versions, does not contain cross site request forgery protection. A remote unauthenticated user could craft a malicious site that executes requests to Spring Batch Admin. This issue has not been patched because...
CVE-2018-1229 1 Pivotal Software 1 Spring Batch Admin 2019-10-09 4.3
Pivotal Spring Batch Admin, all versions, contains a stored XSS vulnerability in the file upload feature. An unauthenticated malicious user with network access to Spring Batch Admin could store an arbitrary web script that would be executed by...
CVE-2018-15801 1 Pivotal Software 1 Spring Framework 2019-10-09 5.8
Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be impacted, the same private key for an honest issuer and a malicious user must be used when signing JWTs. In...