CVE-2017-4992: Privilege escalation with user invitations


Severity

Critical

References
Affected Pivotal Products and Versions

Severity is critical unless otherwise noted.

  • PCF Elastic Runtime:
    • 1.6.x version prior to 1.6.79
    • 1.7.x versions prior to 1.7.64
    • 1.8.x versions prior to 1.8.44
    • 1.9.x versions prior to 1.9.22
    • 1.10.x versions prior to 1.10.9
  • PCF Operations Manager:
    • 1.7.x versions prior to 1.7.29
    • 1.8.x versions prior to 1.8.21
    • 1.9.x versions prior to 1.9.12
    • 1.10.x versions prior to 1.10.7
    • Note: Ops Manager 1.6.x and lower versions are not affected by this issue
Mitigation

Users of affected versions should apply the following mitigation or upgrade:

  • The Cloud Foundry team recommends upgrading BOSH stemcells and/or other OSS components listed here if applicable.
  • Releases that have fixed this issue include:
    • PCF Elastic Runtime: 1.6.79, 1.7.64, 1.8.44, 1.9.22, 1.10.9
    • PCF Ops Manager: 1.7.29, 1.8.21, 1.9.12, 1.10.7
  • Please contact Pivotal Support at https://support.pivotal.io if you need further assistance.