CVE-2015-3191 – CSRF attack on change email

Severity

Low

Vendor

Cloud Foundry Foundation

Versions Affected

cf-release versions prior to v210
UAA versions prior to 2.3.0

Description

The change_email form in UAA is vulnerable to a CSRF attack. This allows an attacker to trigger an e-mail change for a user logged into a cloud foundry instance via a malicious link on a attacker controlled site. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected.

Affected Products and Versions

Severity is low unless otherwise noted.

Cloud Foundry Runtime cf-release versions v209 or earlier are susceptible to this vulnerability
UAA versions 2.2.6 or earlier are susceptible to this vulnerability

Mitigation

Users of affected versions should apply the following mitigation:

The Cloud Foundry project team recommends that Cloud Foundry Runtime Deployments running Release v209 or earlier upgrade to v210 or later
The Cloud Foundry project teams recommends that Cloud Foundry UAA standalone deployments running Release 2.2.6 or earlier upgrade to 2.3.0 or later

Credit

This issue was identified by Mohammed Abdulqader Abobaker Al-saggaf and reported responsibly to the VMware Security Team.

CVE-2015-3191 – CSRF attack on change email

Severity

Vendor

Versions Affected

Description

Affected Products and Versions

Mitigation

Credit

You Might Also Like

USN-3237-1: FreeType vulnerability

USN-2820-1 dpkg vulnerability

USN-4038-1: bzip2 vulnerabilities

Sign up for the Cloud Foundry Newsletter today!

Sign up for the
Cloud Foundry Newsletter today!