Homepage

org.cloudfoundry.identity:cloudfoundry-identity-login@2.2.6 vulnerabilities

  • latest version

    2.7.4.7

  • latest non vulnerable version

    2.7.4.7

  • first published

    10 years ago

  • latest version published

    8 years ago

  • licenses detected

  • package registry

    View on Maven Central Repository
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the org.cloudfoundry.identity:cloudfoundry-identity-login package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Cross-site Request Forgery (CSRF)

    org.cloudfoundry.identity:cloudfoundry-identity-login Affected versions of the package are vulnerable to Cross-site Request Forgery (CSRF) via the change_email form. An attacker may trigger an e-mail change for a olgged in user via a malicious link on a attacker controlled site.

    [,2.3.0)
    • M
    Open Redirect

    org.cloudfoundry.identity:cloudfoundry-identity-login Affected versions of the package are vulnerable to Open Redirect attacks.

    [,2.3.0)
    • H
    Cross-domain Referer Leakage

    org.cloudfoundry.identity:cloudfoundry-identity-login Affected versions of the package are vulnerable to Information Exposure via the password recovery link.

    [,2.5.2)
    • C
    Improper Authentication

    org.cloudfoundry.identity:cloudfoundry-identity-login Affected versions of the package are vulnerable to Improper Authentication which occurs due to the Password Reset Link not expiring.

    Note: Deployments enabled for integration via SAML or LDAP are not affected.

    [,2.5.2)
    • H
    Cross-site Request Forgery (CSRF)

    org.cloudfoundry.identity:cloudfoundry-identity-login Affected versions of the package are vulnerable to Cross-site Request Forgery (CSRF). It is possible to log the user into another account instead of the account they intended to log into because due to lack of CSRF checks.

    [,2.5.2)
    • H
    Brute Force

    org.cloudfoundry.identity:cloudfoundry-identity-login is a Cloud Foundry User Account and Authentication plugin.

    Affected versions of this package are vulnerable to Brute Force via the reset password flow.

    How to fix Brute Force?

    Upgrade org.cloudfoundry.identity:cloudfoundry-identity-login to version 2.7.4.7 or higher.

    [2.2.4,2.7.4.7)
    • C
    Cross-site Request Forgery (CSRF)

    org.cloudfoundry.identity:cloudfoundry-identity-login Multiple cross-site request forgery (CSRF) vulnerabilities in Pivotal Cloud Foundry (PCF) before 242; UAA 2.x before 2.7.4.7, 3.x before 3.3.0.5, and 3.4.x before 3.4.4; UAA BOSH before 11.5 and 12.x before 12.5; Elastic Runtime before 1.6.40, 1.7.x before 1.7.21, and 1.8.x before 1.8.2; and Ops Manager 1.7.x before 1.7.13 and 1.8.x before 1.8.1 allow remote attackers to hijack the authentication of unspecified victims for requests that approve or deny a scope via a profile or authorize approval page.

    [2,2.7.4.7)
    • M
    Open Redirect

    org.cloudfoundry.identity:cloudfoundry-identity-login The OAuth authorization implementation in Pivotal Cloud Foundry (PCF) before 242; UAA 2.x before 2.7.4.7, 3.x before 3.3.0.5, and 3.4.x before 3.4.4; UAA BOSH before 11.5 and 12.x before 12.5; Elastic Runtime before 1.6.40, 1.7.x before 1.7.21, and 1.8.x before 1.8.1; and Ops Manager 1.7.x before 1.7.13 and 1.8.x before 1.8.1 mishandles redirect_uri subdomains, which allows remote attackers to obtain implicit access tokens via a modified subdomain.

    [2,2.7.4.7)
    • M
    Cross-site Scripting (XSS)

    org.cloudfoundry.identity:cloudfoundry-identity-login Affected versions of the package are vulnerable to Cross-site Scripting (XSS).

    [2,2.7.4.2)
    Go back to all versions of this package