CVE-2016-3084

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2016-3084

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-3084.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2016-3084

Aliases

GHSA-fm5c-2rwc-887w

Published

2017-05-25T17:29:00.630Z

Modified

2026-04-10T03:50:50.844570Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

The UAA reset password flow in Cloud Foundry release v236 and earlier versions, UAA release v3.3.0 and earlier versions, all versions of Login-server, UAA release v10 and earlier versions and Pivotal Elastic Runtime versions prior to 1.7.2 is vulnerable to a brute force attack due to multiple active codes at a given time. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected.

References

https://pivotal.io/security/cve-2016-3084

Affected packages

Git / github.com/cloudfoundry/cf-release

Affected ranges

Type

GIT

Repo

https://github.com/cloudfoundry/cf-release

Events

Introduced

Last affected

9a550e9dbce3fbd779263dff5f5458be8ce88c79

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "236"
        }
    ]
}

Type

GIT

Repo

https://github.com/cloudfoundry/uaa

Events

Introduced

Last affected

36efbc0bf6186a4abaf51c04e55cdb2d5e15091b

Introduced

Last affected

85fbe8ee080c50a86ac2f90fcdc705e3db6e82eb

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.7.1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.3.0"
        }
    ]
}

Type

GIT

Repo

https://github.com/cloudfoundry/uaa-release

Events

Introduced

Last affected

ba330dcf9a5f864af59d0904449dbf1b2954b3b4

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "10"
        }
    ]
}

Affected versions

Other

lenient_hybrid_flow

list

log

scotty_09012012

v10

v100

v102

v103

v104

v105

v109

v119

v132

v133

v134

v135

v136

v137

v140

v143

v156

v157

v161

v170

v183

v205

v236

v99

works-for-us

1.*

1.0.1

1.0.3

1.1

1.1.1

1.1.2

1.10

1.11

1.2.0

1.2.6

1.4.0

1.4.1

1.4.2

1.4.3

1.4.5

1.4.6

1.4.7

1.5.0

1.5.2

1.5.2.1

1.5.3

1.5.4

1.5.4.1

1.6.0

1.6.4

1.6.5

1.7.0

1.7.1

1.7.2

1.8.1

1.8.2

1.8.3

1.9.0

1.9.1

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.1.0

2.2.4.1

2.2.5

2.2.6

2.3.0

2.3.1

2.3.1.1

2.4.0

2.4.1

2.5.0

2.5.1

2.5.2

2.6.0

2.6.1

2.6.2

2.7.0

2.7.0.1

2.7.0.2

2.7.0.3

2.7.1

2.7.2

2.7.3

3.*

3.0.0

3.0.1

3.1.0

3.2.0

3.2.1

3.3.0

rc145.*

rc145.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-3084.json"