All Vulnerability Reports

CVE-2016-6637 UAA CSRF Vulnerability for OAuth Approvals




Cloud Foundry Foundation

Versions Affected

  • Cloud Foundry release v241 and earlier versions
  • UAA release v2.0.0 - v2.7.4.6 & v3.0.0 - v3.6.0
  • UAA bosh release v15 & earlier versions
  • PCF Elastic Runtime versions prior to 1.6.40 and 1.7.x versions prior to 1.7.21 and 1.8.x versions prior to 1.8.1
    • NOTE: Pivotal encourages upgrading 1.8.x versions to 1.8.2
  • PCF Ops Manager 1.7.x versions prior 1.7.13 and 1.8.x versions prior to 1.8.1


The profile and authorize approval pages do not contain CSRF tokens, making an exploit to approve or deny scopes possible.


OSS users are strongly encouraged to follow one of the mitigations below:

  • Upgrade to Cloud Foundry v242 [1] or later
  • For standalone UAA users:
    • For users using UAA Version 3.0.0 - 3.6.0, please upgrade to UAA Release to v3.7.0[2], v3.4.4[3] or v3.3.0.5[4]
    • For users using standalone UAA Version 2.X.X, please upgrade to UAA Release to v2.7.4.7 [5]
    • For users using UAA bosh release, please upgrade to UAA-Release v16 [6] if upgrading to v3.7.0 [2] ,v12.5 [7] if upgrading to v3.4.4[3] or v11.5 [8] if upgrading to v3.3.0.5[4]

Pivotal Cloud Foundry users of affected versions are encouraged to follow the mitigations below:

  • Upgrade Pivotal Elastic Runtime 1.6.40 OR 1.7.x versions to 1.7.21 AND 1.8.x versions to 1.8.2
  • Upgrade Pivotal Ops Manager 1.7.x versions to 1.7.13 AND 1.8.x versions to 1.8.1


GE Digital Security Team



2016-09-26: Initial vulnerability report published