All Vulnerability Reports

CVE-2017-8040: XXE Vulnerability in Single Sign-On for PCF


Severity

Low

Vendor

Pivotal

Description

An XXE (XML External Entity) attack was discovered in the Single Sign-On service dashboard. Privileged users can in some cases upload malformed XML leading to exposure of data on the Single Sign-On service broker file system.

Affected Pivotal Products and Versions

Severity is low unless otherwise noted.

  • Single Sign-On for PCF:
    • 1.3.x versions prior to 1.3.4
    • 1.4.x versions prior to 1.4.3
Mitigation

Users of affected versions should apply the following mitigation:

  • Releases that have fixed this issue include:
    • Single Sign-On for PCF: 1.3.4, 1.4.3
References
History

2017-08-31: Initial vulnerability report published