The UAA reset password flow in Cloud Foundry release v236 and earlier versions, UAA release v3.3.0 and earlier versions, all versions of Login-server, UAA release v10 and earlier versions and Pivotal Elastic Runtime versions prior to 1.7.2 is vulnerable to a brute force attack due to multiple active codes at a given time. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Cloud_foundry_uaa_bosh | Cloudfoundry | * | 10 (including) |
| Cloud_foundry | Pivotal_software | * | 236 (including) |
| Cloud_foundry_elastic_runtime | Pivotal_software | * | 1.7.1 (including) |
| Cloud_foundry_uaa | Pivotal_software | * | 3.3.0 (including) |
| Login-server | Pivotal_software | - (including) | - (including) |