org.cloudfoundry.identity:cloudfoundry-identity-login 2.7.4.5 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.cloudfoundry.identity:cloudfoundry-identity-login package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Brute Force org.cloudfoundry.identity:cloudfoundry-identity-login is a Cloud Foundry User Account and Authentication plugin. Affected versions of this package are vulnerable to Brute Force via the reset password flow. How to fix Brute Force? Upgrade `org.cloudfoundry.identity:cloudfoundry-identity-login` to version 2.7.4.7 or higher.	[2.2.4,2.7.4.7)
C Cross-site Request Forgery (CSRF) `org.cloudfoundry.identity:cloudfoundry-identity-login` Multiple cross-site request forgery (CSRF) vulnerabilities in Pivotal Cloud Foundry (PCF) before 242; UAA 2.x before 2.7.4.7, 3.x before 3.3.0.5, and 3.4.x before 3.4.4; UAA BOSH before 11.5 and 12.x before 12.5; Elastic Runtime before 1.6.40, 1.7.x before 1.7.21, and 1.8.x before 1.8.2; and Ops Manager 1.7.x before 1.7.13 and 1.8.x before 1.8.1 allow remote attackers to hijack the authentication of unspecified victims for requests that approve or deny a scope via a profile or authorize approval page.	[2,2.7.4.7)
M Open Redirect `org.cloudfoundry.identity:cloudfoundry-identity-login` The OAuth authorization implementation in Pivotal Cloud Foundry (PCF) before 242; UAA 2.x before 2.7.4.7, 3.x before 3.3.0.5, and 3.4.x before 3.4.4; UAA BOSH before 11.5 and 12.x before 12.5; Elastic Runtime before 1.6.40, 1.7.x before 1.7.21, and 1.8.x before 1.8.1; and Ops Manager 1.7.x before 1.7.13 and 1.8.x before 1.8.1 mishandles redirect_uri subdomains, which allows remote attackers to obtain implicit access tokens via a modified subdomain.	[2,2.7.4.7)

Vulnerability

Vulnerable Version

Brute Force

org.cloudfoundry.identity:cloudfoundry-identity-login is a Cloud Foundry User Account and Authentication plugin.

Affected versions of this package are vulnerable to Brute Force via the reset password flow.

How to fix Brute Force?

Upgrade org.cloudfoundry.identity:cloudfoundry-identity-login to version 2.7.4.7 or higher.

[2.2.4,2.7.4.7)

Cross-site Request Forgery (CSRF)

org.cloudfoundry.identity:cloudfoundry-identity-login Multiple cross-site request forgery (CSRF) vulnerabilities in Pivotal Cloud Foundry (PCF) before 242; UAA 2.x before 2.7.4.7, 3.x before 3.3.0.5, and 3.4.x before 3.4.4; UAA BOSH before 11.5 and 12.x before 12.5; Elastic Runtime before 1.6.40, 1.7.x before 1.7.21, and 1.8.x before 1.8.2; and Ops Manager 1.7.x before 1.7.13 and 1.8.x before 1.8.1 allow remote attackers to hijack the authentication of unspecified victims for requests that approve or deny a scope via a profile or authorize approval page.

[2,2.7.4.7)

Open Redirect

org.cloudfoundry.identity:cloudfoundry-identity-login The OAuth authorization implementation in Pivotal Cloud Foundry (PCF) before 242; UAA 2.x before 2.7.4.7, 3.x before 3.3.0.5, and 3.4.x before 3.4.4; UAA BOSH before 11.5 and 12.x before 12.5; Elastic Runtime before 1.6.40, 1.7.x before 1.7.21, and 1.8.x before 1.8.1; and Ops Manager 1.7.x before 1.7.13 and 1.8.x before 1.8.1 mishandles redirect_uri subdomains, which allows remote attackers to obtain implicit access tokens via a modified subdomain.

[2,2.7.4.7)

org.cloudfoundry.identity:cloudfoundry-identity-login@2.7.4.5 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically