CVE-2016-3084 — Cloud Foundry UAA reset password vulnerable to brute force attack

Description

The UAA reset password flow in Cloud Foundry release v236 and earlier versions, UAA release v3.3.0 and earlier versions, all versions of Login-server, UAA release v10 and earlier versions and Pivotal Elastic Runtime versions prior to 1.7.2 is vulnerable to a brute force attack due to multiple active codes at a given time. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected.

How to fix CVE-2016-3084

To remediate CVE-2016-3084, upgrade the affected package to a fixed version below.

—upgrade to 3.3.0.1 or later

Is CVE-2016-3084 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.3.0.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-3084
PATCHgithub.com/cloudfoundry/uaa
WEBgithub.com/cloudfoundry/uaa/commit/14350228989e2aee900b8d48a848293bb5152b6f
WEBgithub.com/cloudfoundry/uaa/commit/1d3ad7399d010f6a29dc3bf8139d792121301ab8