CVE-2016-6659

Published: Dec 23, 2016Modified: May 6, 2026

8.1

Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.2 / Impact: 5.9

Source: NVD

Description

Cloud Foundry before 248; UAA 2.x before 2.7.4.12, 3.x before 3.6.5, and 3.7.x through 3.9.x before 3.9.3; and UAA bosh release (aka uaa-release) before 13.9 for UAA 3.6.5 and before 24 for UAA 3.9.3 allow attackers to gain privileges by accessing UAA logs and subsequently running a specially crafted application that interacts with a configured SAML provider.

Affected (3)

Products: Cloudfoundry: Cloud Foundry Uaa Bosh · Pivotal Software: Cloud Foundry, Cloud Foundry Uaa

1 product

Cloud Foundry Uaa Bosh

Pivotal Software

2 products

Cloud Foundry Uaa

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Cloudfoundry Cloud Foundry Uaa Bosh	Up to 23.0
Pivotal Software Cloud Foundry	Up to 247.0
Pivotal Software Cloud Foundry Uaa	Up to 3.9.2

Related CWEs

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (4)

http://www.securityfocus.com/bid/95085

Source: security_alert@emc.com

https://www.cloudfoundry.org/cve-2016-6659/

Source: security_alert@emc.com

Vendor Advisory

http://www.securityfocus.com/bid/95085

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.cloudfoundry.org/cve-2016-6659/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.