CVE-2016-3084

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2016-3084

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-3084.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2016-3084

Aliases

GHSA-fm5c-2rwc-887w

Published

2017-05-25T17:29:00.630Z

Modified

2026-03-12T22:19:24.932961Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

The UAA reset password flow in Cloud Foundry release v236 and earlier versions, UAA release v3.3.0 and earlier versions, all versions of Login-server, UAA release v10 and earlier versions and Pivotal Elastic Runtime versions prior to 1.7.2 is vulnerable to a brute force attack due to multiple active codes at a given time. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected.

References

https://pivotal.io/security/cve-2016-3084

Affected packages

Git / github.com/cloudfoundry/cf-release

Affected ranges

Type

GIT

Repo

https://github.com/cloudfoundry/cf-release

Events

Introduced

Last affected

9a550e9dbce3fbd779263dff5f5458be8ce88c79

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "236"
        }
    ]
}

Type

GIT

Repo

https://github.com/cloudfoundry/uaa

Events

Introduced

Last affected

36efbc0bf6186a4abaf51c04e55cdb2d5e15091b

Introduced

Last affected

85fbe8ee080c50a86ac2f90fcdc705e3db6e82eb

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.7.1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.3.0"
        }
    ]
}

Type

GIT

Repo

https://github.com/cloudfoundry/uaa-release

Events

Introduced

Last affected

ba330dcf9a5f864af59d0904449dbf1b2954b3b4

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "10"
        }
    ]
}

Affected versions

Other

list

log

scotty_09012012

v10

v100

v101

v102

v103

v104

v105

v106

v107

v108

v109

v110

v111

v112

v113

v114

v115

v116

v117

v118

v119

v119-fixed

v120

v121

v122

v123

v124

v125

v126

v127

v128

v129

v130

v131

v132

v133

v134

v135

v136

v137

v138

v139

v140

v141

v142

v143

v144

v145

v146

v147

v148

v149

v150

v151

v152

v153

v154

v155

v156

v157

v158

v159

v160

v161

v162

v163

v164

v165

v166

v168

v169

v170

v171

v172

v173

v175

v176

v177

v178

v179

v180

v182

v183

v186

v187

v188

v189

v190

v191

v192

v193

v194

v195

v196

v197

v198

v199

v200

v201

v202

v203

v204

v205

v206

v207

v208

v209

v210

v211

v212

v213

v214

v215

v217

v218

v219

v220

v221

v222

v223

v224

v225

v226

v227

v228

v229

v230

v231

v232

v233

v234

v235

v236

v68

v69

v70

v71

v72

v73

v74

v75

v76

v77

v78

v79

v80

v81

v82

v83

v84

v85

v86

v87

v88

v89

v90

v91

v92

v93

v94

v95

v95-fixed

v96

v97

v98

v99

works-for-us

1.*

1.0.1

1.0.2

1.0.3

1.1

1.1.1

1.1.2

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.3.1

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.4.7

1.5.0

1.5.2

1.5.2.1

1.5.3

1.5.4

1.5.4.1

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.7.0

1.7.1

rc145.*

rc145.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-3084.json"