CVE-2015-3189 - Expire old reset password links


Severity

Low

Vendor

Cloud Foundry Foundation

Versions Affected
  • cf-release versions prior to v209
  • UAA versions prior to 2.2.6
Description

Old Password Reset Links are not expired after the user changes their current email address to a new one. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected.

Affected Pivotal Products and Versions

Severity is low unless otherwise noted.

  • Cloud Foundry Runtime cf-release versions v208 or earlier are susceptible to this vulnerability
  • UAA Standalone versions 2.2.5 or earlier are susceptible to this vulnerability
  • Pivotal Cloud Foundry Runtime 1.4.5 or earlier
Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry project team recommends that Cloud Foundry Runtime Deployments running Release v208 or earlier upgrade to v209 or later
  • The Cloud Foundry project teams recommends that Cloud Foundry UAA standalone deployments running Release 2.2.5 or earlier upgrade to Release 2.2.6 or later
  • It will be patched in a future version of Pivotal Cloud Foundry
Credit

This issue was identified by Mohammed Abdulqader Abobaker Al-saggaf and reported responsibly to the Pivotal Security Team.