Vulnerability identifier: #VU713

Vulnerability risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-6636

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Pivotal Cloud Foundry Elastic Runtime
Client/Desktop applications / Software for archiving
Pivotal Cloud Foundry Ops Manager
Client/Desktop applications / Software for archiving
Cloud Foundry UAA
Server applications / Web servers
Bosh Release for the UAA
Server applications / Virtualization software

Vendor: Cloud Foundry Foundation

Description
The vulnerability alows a remote user to obtain implicit access tokens on the target system.
The weakness is caused by incorrect validation of redirect_uri during OAuth authorization flow. By using different request subdomain attackers can get implicit access tokens.
Successful exploitation of the vulnerability allows a malicious user to access implicit tolens on the vulnerable system.

Mitigation
Update Pivotal Cloud Foundry UAA 2.x to 2.7.4.7, 3.x to 3.3.0.5, and 3.4.x to 3.4.4;
Update Pivotal Cloud Foundry UAA BOSH 11.5 and 12.x to 12.5;
Update Pivotal Cloud Foundry Elastic Runtime 1.6.40, 1.7.x to 1.7.21, and 1.8.x to 1.8.1;
Update Pivotal Cloud Foundry Ops Manager 1.7.x to 1.7.13 and 1.8.x to 1.8.1.

Vulnerable software versions

Pivotal Cloud Foundry Elastic Runtime: 1.6.40 - 1.8.1

Cloud Foundry UAA: 2.0 - 3.4.4

Pivotal Cloud Foundry Ops Manager: 1.7.0 - 1.8.0

Bosh Release for the UAA: 11.5 - 12.4

---

External links
http://pivotal.io/security/cve-2016-6636

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.