cnvd - cnvd-2017-02055

CNVD-2017-02055

Vulnerability from cnvd - Published: 2017-02-26

Title

Pivotal Cloud Foundry Elastic Runtime权限提升漏洞

Description

Pivotal Cloud Foundry（PCF）是美国Pivotal Software公司的一套开源的平台即服务（PaaS）云计算平台，它提供容器调度、持续交付和自动化服务部署等功能。 Pivotal Cloud Foundry Elastic Runtime存在权限提升漏洞。攻击者可利用漏洞获取提升的权限，发动进一步的攻击。

Severity

中

Patch Name

Pivotal Cloud Foundry Elastic Runtime权限提升漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://pivotal.io/security/cve-2017-4959

Reference

http://www.securityfocus.com/bid/96218

Impacted products

Name
['Pivotal Software PCF Elastic Runtime 1.8.，<1.8.29', 'Pivotal Software PCF Elastic Runtime \r\n1.9.，<1.9.7']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "96218"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-4959",
      "cveUrl": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4959"
    }
  },
  "description": "Pivotal Cloud Foundry\uff08PCF\uff09\u662f\u7f8e\u56fdPivotal Software\u516c\u53f8\u7684\u4e00\u5957\u5f00\u6e90\u7684\u5e73\u53f0\u5373\u670d\u52a1\uff08PaaS\uff09\u4e91\u8ba1\u7b97\u5e73\u53f0\uff0c\u5b83\u63d0\u4f9b\u5bb9\u5668\u8c03\u5ea6\u3001\u6301\u7eed\u4ea4\u4ed8\u548c\u81ea\u52a8\u5316\u670d\u52a1\u90e8\u7f72\u7b49\u529f\u80fd\u3002\r\n\r\nPivotal Cloud Foundry Elastic Runtime\u5b58\u5728\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u83b7\u53d6\u63d0\u5347\u7684\u6743\u9650\uff0c\u53d1\u52a8\u8fdb\u4e00\u6b65\u7684\u653b\u51fb\u3002",
  "discovererName": "Andrew Cantino, Pivotal.",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://pivotal.io/security/cve-2017-4959",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-02055",
  "openTime": "2017-02-26",
  "patchDescription": "Pivotal Cloud Foundry\uff08PCF\uff09\u662f\u7f8e\u56fdPivotal Software\u516c\u53f8\u7684\u4e00\u5957\u5f00\u6e90\u7684\u5e73\u53f0\u5373\u670d\u52a1\uff08PaaS\uff09\u4e91\u8ba1\u7b97\u5e73\u53f0\uff0c\u5b83\u63d0\u4f9b\u5bb9\u5668\u8c03\u5ea6\u3001\u6301\u7eed\u4ea4\u4ed8\u548c\u81ea\u52a8\u5316\u670d\u52a1\u90e8\u7f72\u7b49\u529f\u80fd\u3002\r\n\r\nPivotal Cloud Foundry Elastic Runtime\u5b58\u5728\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u83b7\u53d6\u63d0\u5347\u7684\u6743\u9650\uff0c\u53d1\u52a8\u8fdb\u4e00\u6b65\u7684\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Pivotal Cloud Foundry Elastic Runtime\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Pivotal Software PCF Elastic Runtime 1.8.*\uff0c\u003c1.8.29",
      "Pivotal Software PCF Elastic Runtime \r\n1.9.*\uff0c\u003c1.9.7"
    ]
  },
  "referenceLink": "http://www.securityfocus.com/bid/96218",
  "serverity": "\u4e2d",
  "submitTime": "2017-02-17",
  "title": "Pivotal Cloud Foundry Elastic Runtime\u6743\u9650\u63d0\u5347\u6f0f\u6d1e"
}

CVE-2017-4959 (GCVE-0-2017-4959)

Vulnerability from cvelistv5 – Published: 2017-06-13 06:00 – Updated: 2024-08-05 14:47

Summary

An issue was discovered in Pivotal PCF Elastic Runtime 1.8.x versions prior to 1.8.29 and 1.9.x versions prior to 1.9.7. Pivotal Cloud Foundry deployments using the Pivotal Account application are vulnerable to a flaw which allows an authorized user to take over the account of another user, causing account lockout and potential escalation of privileges.

Severity ?

No CVSS data available.

CWE

Pivotal Cloud Foundry account authorization vulnerability

Assigner

dell

References

URL

Tags

	http://www.securityfocus.com/bid/96218	vdb-entryx_refsource_BID
	https://pivotal.io/security/cve-2017-4959	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	n/a	PCF Elastic Runtime	Affected: PCF Elastic Runtime

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T14:47:43.745Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "96218",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/96218"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://pivotal.io/security/cve-2017-4959"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "PCF Elastic Runtime",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "PCF Elastic Runtime"
            }
          ]
        }
      ],
      "datePublic": "2017-06-12T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Pivotal PCF Elastic Runtime 1.8.x versions prior to 1.8.29 and 1.9.x versions prior to 1.9.7. Pivotal Cloud Foundry deployments using the Pivotal Account application are vulnerable to a flaw which allows an authorized user to take over the account of another user, causing account lockout and potential escalation of privileges."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Pivotal Cloud Foundry account authorization vulnerability",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-06-13T09:57:01",
        "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "shortName": "dell"
      },
      "references": [
        {
          "name": "96218",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/96218"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://pivotal.io/security/cve-2017-4959"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security_alert@emc.com",
          "ID": "CVE-2017-4959",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "PCF Elastic Runtime",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "PCF Elastic Runtime"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Pivotal PCF Elastic Runtime 1.8.x versions prior to 1.8.29 and 1.9.x versions prior to 1.9.7. Pivotal Cloud Foundry deployments using the Pivotal Account application are vulnerable to a flaw which allows an authorized user to take over the account of another user, causing account lockout and potential escalation of privileges."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Pivotal Cloud Foundry account authorization vulnerability"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "96218",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/96218"
            },
            {
              "name": "https://pivotal.io/security/cve-2017-4959",
              "refsource": "CONFIRM",
              "url": "https://pivotal.io/security/cve-2017-4959"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
    "assignerShortName": "dell",
    "cveId": "CVE-2017-4959",
    "datePublished": "2017-06-13T06:00:00",
    "dateReserved": "2016-12-29T00:00:00",
    "dateUpdated": "2024-08-05T14:47:43.745Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2017-02055

CVE-2017-4959 (GCVE-0-2017-4959)

Tags

Sightings

Nomenclature