CVE-2015-3189
First published: Thu May 25 2017(Updated: )
With Cloud Foundry Runtime cf-release versions v208 or earlier, UAA Standalone versions 2.2.5 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier, old Password Reset Links are not expired after the user changes their current email address to a new one. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected.
Credit: security_alert@emc.com security_alert@emc.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.cloudfoundry.identity:cloudfoundry-identity-server | <2.2.5 | 2.2.5 |
| Cloud Foundry CF Release | <=208 | |
| Pivotal Cloud Foundry Elastic Runtime | <=1.4.5 | |
| Cloud Foundry UAA | <=2.2.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://pivotal.io/security/cve-2015-3189
- https://nvd.nist.gov/vuln/detail/CVE-2015-3189
- https://github.com/cloudfoundry/uaa/commit/a79b89f6e4f66626914b029b7a15a423491f8013
- https://github.com/cloudfoundry/uaa/commits/2.2.5
- https://github.com/cloudfoundry/uaa/compare/2.2.4...2.2.5
- https://github.com/cloudfoundry/uaa/compare/2.2.5...2.2.6
- https://github.com/advisories/GHSA-fj69-p8f6-q97h (Advisory)
Frequently Asked Questions
What is the severity of CVE-2015-3189?
CVE-2015-3189 is classified as a moderate severity vulnerability.
How do I fix CVE-2015-3189?
To fix CVE-2015-3189, upgrade to Cloud Foundry cf-release versions beyond v208, UAA Standalone versions beyond 2.2.5, or Pivotal Cloud Foundry Runtime versions beyond 1.4.5.
What does CVE-2015-3189 affect?
CVE-2015-3189 affects Cloud Foundry cf-release versions v208 or earlier, UAA Standalone versions 2.2.5 or earlier, and Pivotal Cloud Foundry Runtime versions 1.4.5 or earlier.
What is the impact of CVE-2015-3189?
The impact of CVE-2015-3189 is that old password reset links remain active after a user changes their email address, potentially allowing unauthorized account access.
Is CVE-2015-3189 still a concern for users?
CVE-2015-3189 is a concern for users who use the affected versions of Cloud Foundry software, particularly since old password reset links could be exploited.
- agent/type
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-fj69-p8f6-q97h
- alias/CVE-2015-3189
- agent/software-canonical-lookup
- agent/references
- agent/severity
- agent/weakness
- agent/description
- agent/author
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- package-manager/maven
- vendor/cloudfoundry
- canonical/cloud foundry cf release
- version/cloud foundry cf release/208
- vendor/pivotal software
- canonical/pivotal cloud foundry elastic runtime
- version/pivotal cloud foundry elastic runtime/1.4.5
- canonical/cloud foundry uaa
- version/cloud foundry uaa/2.2.5