CVE-2017-8031
CVSS3.5
发布时间 :2017-11-27 05:29:00
修订时间 :2017-12-21 11:05:55
NMS    

[原文]An issue was discovered in Cloud Foundry Foundation cf-release (all versions prior to v279) and UAA (30.x versions prior to 30.6, 45.x versions prior to 45.4, 52.x versions prior to 52.1). In some cases, the UAA allows an authenticated user for a particular client to revoke client tokens for other users on the same client. This occurs only if the client is using opaque tokens or JWT tokens validated using the check_token endpoint. A malicious actor could cause denial of service.


[CNNVD]CNNVD数据暂缺。


[机译]译文暂缺.

- CVSS (基础分值)

CVSS分值: 3.5 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: SINGLE_INSTANCE [--]

- CWE (弱点类目)

CWE-285 [授权机制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:pivotal_software:cf-release:278
cpe:/a:pivotal_software:uaa-release:30
cpe:/a:pivotal_software:uaa-release:30.1
cpe:/a:pivotal_software:uaa-release:30.2
cpe:/a:pivotal_software:uaa-release:30.3
cpe:/a:pivotal_software:uaa-release:30.4
cpe:/a:pivotal_software:uaa-release:30.5
cpe:/a:pivotal_software:uaa-release:45
cpe:/a:pivotal_software:uaa-release:45.1
cpe:/a:pivotal_software:uaa-release:45.2
cpe:/a:pivotal_software:uaa-release:45.3
cpe:/a:pivotal_software:uaa-release:52

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8031
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8031
(官方数据源) NVD

- 其它链接及资源

http://www.securityfocus.com/bid/101967
(VENDOR_ADVISORY)  BID  101967
https://www.cloudfoundry.org/cve-2017-8031/
(VENDOR_ADVISORY)  CONFIRM  https://www.cloudfoundry.org/cve-2017-8031/

- 漏洞信息

Multiple Cloud Foundry Products CVE-2017-8031 Denial of Service Vulnerability
Failure to Handle Exceptional Conditions 101967
Yes No
2017-11-07 12:00:00 2017-11-07 12:00:00
This issue reported by the vendor.

- 受影响的程序版本

Pivotal UAA BOSH 52.0
Pivotal UAA BOSH 45.0
Pivotal UAA BOSH 30.0
Pivotal PCF Ops Manager 1.8.1
Pivotal PCF Ops Manager 1.7.13
Pivotal PCF Ops Manager 1.7.8
Pivotal PCF Ops Manager 1.7
Pivotal PCF Ops Manager 1.6.17
Pivotal PCF Ops Manager 1.6.9
Pivotal PCF Ops Manager 1.6.8
Pivotal PCF Ops Manager 1.6
Pivotal PCF Ops Manager 1.5.14
Pivotal PCF Ops Manager 1.5.13
Pivotal PCF Ops Manager 1.5
Pivotal PCF Ops Manager 1.4
Pivotal PCF Ops Manager 1.8
Pivotal PCF Ops Manager 1.7
Pivotal PCF Ops Manager 1.0
Pivotal PCF Elastic Runtime 1.8.2
Pivotal PCF Elastic Runtime 1.7.21
Pivotal PCF Elastic Runtime 1.6.40
Pivotal PCF Elastic Runtime 1.8
Pivotal PCF Elastic Runtime 1.7
Pivotal PCF Elastic Runtime 1.6
Cloud Foundry cf-release 90
Cloud Foundry cf-release 80
Cloud Foundry cf-release 70
Cloud Foundry cf-release 68
Cloud Foundry cf-release 270
Cloud Foundry cf-release 269
Cloud Foundry cf-release 268
Cloud Foundry cf-release 267
Cloud Foundry cf-release 260
Cloud Foundry cf-release 250
Cloud Foundry cf-release 245
Cloud Foundry cf-release 240
Cloud Foundry cf-release 230
Cloud Foundry cf-release 220
Cloud Foundry cf-release 210
Cloud Foundry cf-release 200
Cloud Foundry cf-release 100
Cloud Foundry cf-release 0
,Pivotal UAA BOSH 52.1
Pivotal UAA BOSH 45.4
Pivotal UAA BOSH 30.6
Pivotal PCF Ops Manager 1.12.14
Pivotal PCF Ops Manager 1.11.13
Pivotal PCF Ops Manager 1.10.18
Pivotal PCF Elastic Runtime 1.12.6
Pivotal PCF Elastic Runtime 1.11.18
Pivotal PCF Elastic Runtime 1.10.32
Cloud Foundry cf-release 279

- 不受影响的程序版本

Pivotal UAA BOSH 52.1
Pivotal UAA BOSH 45.4
Pivotal UAA BOSH 30.6
Pivotal PCF Ops Manager 1.12.14
Pivotal PCF Ops Manager 1.11.13
Pivotal PCF Ops Manager 1.10.18
Pivotal PCF Elastic Runtime 1.12.6
Pivotal PCF Elastic Runtime 1.11.18
Pivotal PCF Elastic Runtime 1.10.32
Cloud Foundry cf-release 279

- 漏洞讨论

Multiple Cloud Foundry Products are prone to a denial-of-service vulnerability.

Attackers can exploit this issue to cause a denial-of-service condition.

- 漏洞利用

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 解决方案

Updates are available. Please see the references or vendor advisory for more information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站