Main Vulnerability Database Vulnerabilities #VU31403

Insufficient Session Expiration in Cloud Foundry UAA - CVE-2015-5171

Published: October 24, 2017 / Updated: July 18, 2020

Vulnerability identifier: #VU31403

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2015-5171

CWE-ID: CWE-613

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Cloud Foundry Foundation

Affected software:
Cloud Foundry UAA

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire existing sessions.

How to mitigate CVE-2015-5171

Install update from vendor's website.

Sources

https://pivotal.io/security/cve-2015-5170-5173

Insufficient Session Expiration in Cloud Foundry UAA - CVE-2015-5171

Detailed vulnerability description

How to mitigate CVE-2015-5171

Sources

Please verify you're human