CVE-2017-4992 — Cloud Foundry UAA privilege escalation with user invitations

Description

An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v261; UAA release 2.x versions prior to v2.7.4.17, 3.6.x versions prior to v3.6.11, 3.9.x versions prior to v3.9.13, and other versions prior to v4.2.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.15, 24.x versions prior to v24.10, 30.x versions prior to 30.3, and other versions prior to v37. There is privilege escalation (arbitrary password reset) with user invitations.

How to fix CVE-2017-4992

To remediate CVE-2017-4992, upgrade the affected package to a fixed version below.

—upgrade to 2.7.4.17 or later

Is CVE-2017-4992 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 2.0.0, < 2.7.4.17

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-4992
PATCHgithub.com/cloudfoundry/uaa
WEBgithub.com/cloudfoundry/uaa/commit/1c9c6dd88266cfa7d333e5d8be1031fa31c5c939
WEBgithub.com/cloudfoundry/uaa/commit/3ce42a4c75828cb58287c3c7495dde3f5261f12c