CVE-2017-4974 — Blind SQL Injection with privileged Cloud Foundry UAA endpoints

Description

An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v258; UAA release 2.x versions prior to v2.7.4.15, 3.6.x versions prior to v3.6.9, 3.9.x versions prior to v3.9.11, and other versions prior to v3.16.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.13, 24.x versions prior to v24.8, and other versions prior to v30.1. An authorized user can use a blind SQL injection attack to query the contents of the UAA database, aka "Blind SQL Injection with privileged UAA endpoints."

How to fix CVE-2017-4974

To remediate CVE-2017-4974, upgrade the affected package to a fixed version below.

—upgrade to 2.7.4.15 or later

Is CVE-2017-4974 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 2.0.0, < 2.7.4.15

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-4974
PATCHgithub.com/cloudfoundry/uaa
WEBgithub.com/cloudfoundry/uaa/commit/01edea6337c8ddb2ab80906aa1254d3c1dc02fb
WEBgithub.com/cloudfoundry/uaa/commit/2dbeb9e93e076d71d7f0886dea9f77f23e0b8f3c