6.5

CVE-2017-4974

An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v258; UAA release 2.x versions prior to v2.7.4.15, 3.6.x versions prior to v3.6.9, 3.9.x versions prior to v3.9.11, and other versions prior to v3.16.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.13, 24.x versions prior to v24.8, and other versions prior to v30.1. An authorized user can use a blind SQL injection attack to query the contents of the UAA database, aka "Blind SQL Injection with privileged UAA endpoints."

Data is provided by the National Vulnerability Database (NVD)
CloudfoundryCf-release Version <= v257
Pivotal SoftwareCloud Foundry Uaa Version <= 4.2.0
Pivotal SoftwareCloud Foundry Uaa Version2.2.5.4
Pivotal SoftwareCloud Foundry Uaa Version2.7.4.1
Pivotal SoftwareCloud Foundry Uaa Version2.7.4.2
Pivotal SoftwareCloud Foundry Uaa Version2.7.4.3
Pivotal SoftwareCloud Foundry Uaa Version2.7.4.4
Pivotal SoftwareCloud Foundry Uaa Version2.7.4.5
Pivotal SoftwareCloud Foundry Uaa Version2.7.4.6
Pivotal SoftwareCloud Foundry Uaa Version2.7.4.7
Pivotal SoftwareCloud Foundry Uaa Version2.7.4.8
Pivotal SoftwareCloud Foundry Uaa Version2.7.4.9
Pivotal SoftwareCloud Foundry Uaa Version2.7.4.11
Pivotal SoftwareCloud Foundry Uaa Version2.7.4.12
Pivotal SoftwareCloud Foundry Uaa Version2.7.4.13
Pivotal SoftwareCloud Foundry Uaa Version2.7.4.14
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.28% 0.486
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 6.5 2.8 3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 4 8 2.9
AV:N/AC:L/Au:S/C:P/I:N/A:N
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.