{"id":"CVE-2017-4963","details":"An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 & v3.0.0 - v3.11.0, and UAA bosh release v26 & earlier versions. UAA is vulnerable to session fixation when configured to authenticate against external SAML or OpenID Connect based identity providers.","modified":"2026-03-10T14:27:25.946035Z","published":"2017-06-13T06:29:00.427Z","references":[{"type":"WEB"},{"type":"ADVISORY","url":"https://www.cloudfoundry.org/cve-2017-4963/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cloudfoundry-attic/cf-release","events":[{"introduced":"0"},{"last_affected":"4e2e687eb3f8ebe6081fc5dc447522b37d3847c3"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"252"}]}},{"type":"GIT","repo":"https://github.com/cloudfoundry/uaa","events":[{"introduced":"6e2a351c64789a7416165191515106639735bf97"},{"last_affected":"7dcb384183b4bb50bc30f1671d5bdeb6fdb01099"},{"introduced":"2324b38f690ff5809fefd8217b319c9dbdc10c99"},{"last_affected":"0e3013bda9c13c630f2dd469368b93cb1b73f006"}],"database_specific":{"versions":[{"introduced":"2.0.0"},{"last_affected":"2.7.4.12"},{"introduced":"3.0.0"},{"last_affected":"3.11.0"}]}},{"type":"GIT","repo":"https://github.com/cloudfoundry/uaa-release","events":[{"introduced":"0"},{"last_affected":"03c13c872ca0fdb1ec317888911fff2628501e2b"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"26"}]}}],"versions":["-","2.0.0","2.0.1","2.0.2","2.0.3","2.1.0","2.2.0","2.2.4","2.2.4.1","2.2.5","2.2.6","2.3.0","2.3.1","2.3.1.1","2.4.0","2.4.1","2.5.0","2.5.1","2.5.2","2.6.0","2.6.1","2.6.2","2.7.0","2.7.0.1","2.7.0.2","2.7.0.3","2.7.1","2.7.2","2.7.3","3.0.0","3.0.1","3.1.0","3.10.0","3.11.0","3.2.0","3.2.1","3.3.0","3.3.0.1","3.4.0","3.4.1","3.4.2","3.5.0","3.6.0","3.7.0","3.7.1","3.7.2","3.7.3","3.7.4","3.8.0","3.9.0","3.9.1","3.9.2","3.9.3","ci-upgrade","list","log","rc145.0","scotty_09012012","travis-success-1475","travis-success-1478","travis-success-1497","v","v10","v100","v101","v102","v103","v104","v105","v106","v107","v108","v109","v11","v11.1","v11.2","v11.3","v110","v111","v112","v113","v114","v115","v116","v117","v118","v119","v119-fixed","v12","v12.1","v12.2","v12.3","v120","v121","v122","v123","v124","v125","v126","v127","v128","v129","v13","v130","v131","v132","v133","v134","v135","v136","v137","v138","v139","v14","v140","v141","v142","v143","v144","v145","v146","v147","v148","v149","v15","v150","v151","v152","v153","v154","v155","v156","v157","v158","v159","v16","v160","v161","v162","v163","v164","v165","v166","v168","v169","v17","v170","v171","v172","v173","v175","v176","v177","v178","v179","v18","v180","v182","v183","v186","v187","v188","v189","v19","v190","v191","v192","v193","v194","v195","v196","v197","v198","v199","v2","v20","v200","v201","v202","v203","v204","v205","v206","v207","v208","v209","v21","v210","v211","v212","v213","v214","v215","v217","v218","v219","v22","v220","v221","v222","v223","v224","v225","v226","v227","v228","v229","v23","v230","v231","v232","v233","v234","v235","v236","v237","v238","v239","v24","v240","v241","v242","v243","v244","v245","v246","v247","v248","v249","v25","v250","v251","v252","v26","v3","v4","v5","v6","v68","v69","v7","v70","v71","v72","v73","v74","v75","v76","v77","v78","v79","v8","v80","v81","v82","v83","v84","v85","v86","v87","v88","v89","v9","v90","v91","v92","v93","v94","v95","v95-fixed","v96","v97","v98","v99","works-for-us"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-4963.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}