8.8
CVE-2016-4468
- EPSS 1.33%
- Published 11.04.2017 15:59:00
- Last modified 20.04.2025 01:37:25
- Source secalert@redhat.com
- Teams watchlist Login
- Open Login
SQL injection vulnerability in Pivotal Cloud Foundry (PCF) before 238; UAA 2.x before 2.7.4.4, 3.x before 3.3.0.2, and 3.4.x before 3.4.1; UAA BOSH before 11.2 and 12.x before 12.2; Elastic Runtime before 1.6.29 and 1.7.x before 1.7.7; and Ops Manager 1.7.x before 1.7.8 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
Data is provided by the National Vulnerability Database (NVD)
Cloudfoundry ≫ Cloud Foundry Uaa Bosh Version <= 12.0
Pivotal Software ≫ Cloud Foundry Version <= 237.0
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.0
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.1
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.2
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.3
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.4
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.5
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.6
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.7
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.8
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.9
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.10
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.11
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.12
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.13
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.14
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.15
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.17
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.18
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.19
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.20
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.21
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.22
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.23
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.25
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.26
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.27
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.28
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.7.0
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.7.1
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.7.2
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.7.3
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.7.4
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.7.5
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.7.6
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.7.7
Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.8.0
Pivotal Software ≫ Cloud Foundry Ops Manager Version1.7.0
Pivotal Software ≫ Cloud Foundry Ops Manager Version1.7.1
Pivotal Software ≫ Cloud Foundry Ops Manager Version1.7.2
Pivotal Software ≫ Cloud Foundry Ops Manager Version1.7.3
Pivotal Software ≫ Cloud Foundry Ops Manager Version1.7.4
Pivotal Software ≫ Cloud Foundry Ops Manager Version1.7.5
Pivotal Software ≫ Cloud Foundry Ops Manager Version1.7.6
Pivotal Software ≫ Cloud Foundry Ops Manager Version1.7.7
Pivotal Software ≫ Cloud Foundry Ops Manager Version1.7.8
Pivotal Software ≫ Cloud Foundry Uaa Version <= 3.4.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.33% | 0.781 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.5 | 8 | 6.4 |
AV:N/AC:L/Au:S/C:P/I:P/A:P
|
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.