CVE-2017-4959 Pivotal Cloud Foundry account authorization vulnerability
Critical
Pivotal
Pivotal Cloud Foundry deployments using the Pivotal Account application are vulnerable to a flaw which allows an authorized user to take over the account of another user, causing account lockout and potential escalation of privileges.
Severity is critical unless otherwise noted.
- PCF Elastic Runtime:
- 1.8.x versions prior to 1.8.29
- 1.9.x versions prior to 1.9.7
- Note: 1.6.x, 1.7.x, and earlier versions are not affected.
Users of affected versions should apply the following mitigation:
- Upgrade PCF Elastic Runtime:
- 1.8.x versions to 1.8.29
- 1.9.x versions to 1.9.7
- Note: 1.6.x, 1.7.x, and earlier versions are not affected.
Important: To correctly mitigate this issue, the Push Pivotal Account errand must be checked in Post-Deploy Errands before upgrade. If you have already upgraded without running the errand, please contact Pivotal Support at https://support.pivotal.io/.
This vulnerability was responsibly reported by Andrew Cantino, Pivotal.
2017-02-14: Initial vulnerability report published
2017-02-15: Credit and note about upgrade errands added
