{"id":"CVE-2017-4973","details":"An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v257; UAA release 2.x versions prior to v2.7.4.14, 3.6.x versions prior to v3.6.8, 3.9.x versions prior to v3.9.10, and other versions prior to v3.15.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.12, 24.x versions prior to v24.7, and other versions prior to v30. A vulnerability has been identified with the groups endpoint in UAA allowing users to elevate their privileges.","aliases":["GHSA-pgjc-gc7g-p2c6"],"modified":"2026-07-08T05:50:02.386818087Z","published":"2017-06-13T06:29:00.660Z","database_specific":{"unresolved_ranges":[{"vendor_product":"pivotal_software:cloud_foundry_uaa","cpes":["cpe:2.3:a:pivotal_software:cloud_foundry_uaa:2.2.5.4:*:*:*:*:*:*:*"],"source":"CPE_STRING","extracted_events":[{"introduced":"2.2.5.4"},{"last_affected":"2.2.5.4"},{"introduced":"2.2.5.4"},{"last_affected":"2.2.5.4"}]}]},"references":[{"type":"ADVISORY","url":"https://www.cloudfoundry.org/cve-2017-4973/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cloudfoundry-attic/cf-release","events":[{"introduced":"0"},{"last_affected":"2dcce2b8f4f6a32915d3ab4b8f0abb5341971217"}],"database_specific":{"cpe":"cpe:2.3:a:pivotal_software:cloud_foundry_cf:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"last_affected":"256"}],"source":"CPE_RANGE"}}],"versions":["v256","v253","v249","v245","v205","v183","v170","v161","v157","v156","rc145.0","v143","works-for-us","v140","v137","v136","v135","v134","v133","v132","scotty_09012012","v119","v109","v105","v104","v103","v102","v100","v99","-","log","list"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-4973.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/cloudfoundry/uaa","events":[{"introduced":"7640c1433ec193b6696ee5e37a524a353fb3053e"},{"last_affected":"acbc2bbf50068532d5a39a3a95163cb01ea14b25"}],"database_specific":{"cpe":["cpe:2.3:a:pivotal_software:cloud_foundry_uaa:2.2.5.4:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:2.7.1:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:2.7.2:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:2.7.3:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:2.7.4:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:2.7.4.1:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:2.7.4.2:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:2.7.4.3:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:2.7.4.4:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:2.7.4.5:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:2.7.4.6:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:2.7.4.7:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:2.7.4.8:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:2.7.4.9:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:2.7.4.11:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:2.7.4.12:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:2.7.4.13:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:3.6.1:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:3.6.2:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:3.6.3:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:3.6.4:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:3.6.5:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:3.6.6:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:3.6.7:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:3.9.1:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:3.9.2:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:3.9.3:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:3.9.4:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:3.9.5:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:3.9.6:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:3.9.7:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:3.9.8:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:3.9.9:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:3.9.12:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_uaa:3.9.13:*:*:*:*:*:*:*"],"source":"CPE_STRING","extracted_events":[{"introduced":"2.2.5.4"},{"last_affected":"2.2.5.4"},{"introduced":"2.7.1"},{"last_affected":"2.7.1"},{"introduced":"2.7.2"},{"last_affected":"2.7.2"},{"introduced":"2.7.3"},{"last_affected":"2.7.3"},{"introduced":"2.7.4"},{"last_affected":"2.7.4"},{"introduced":"2.7.4.1"},{"last_affected":"2.7.4.1"},{"introduced":"2.7.4.2"},{"last_affected":"2.7.4.2"},{"introduced":"2.7.4.3"},{"last_affected":"2.7.4.3"},{"introduced":"2.7.4.4"},{"last_affected":"2.7.4.4"},{"introduced":"2.7.4.5"},{"last_affected":"2.7.4.5"},{"introduced":"2.7.4.6"},{"last_affected":"2.7.4.6"},{"introduced":"2.7.4.7"},{"last_affected":"2.7.4.7"},{"introduced":"2.7.4.8"},{"last_affected":"2.7.4.8"},{"introduced":"2.7.4.9"},{"last_affected":"2.7.4.9"},{"introduced":"2.7.4.11"},{"last_affected":"2.7.4.11"},{"introduced":"2.7.4.12"},{"last_affected":"2.7.4.12"},{"introduced":"2.7.4.13"},{"last_affected":"2.7.4.13"},{"introduced":"3.6.1"},{"last_affected":"3.6.1"},{"introduced":"3.6.2"},{"last_affected":"3.6.2"},{"introduced":"3.6.3"},{"last_affected":"3.6.3"},{"introduced":"3.6.4"},{"last_affected":"3.6.4"},{"introduced":"3.6.5"},{"last_affected":"3.6.5"},{"introduced":"3.6.6"},{"last_affected":"3.6.6"},{"introduced":"3.6.7"},{"last_affected":"3.6.7"},{"introduced":"3.9.1"},{"last_affected":"3.9.1"},{"introduced":"3.9.2"},{"last_affected":"3.9.2"},{"introduced":"3.9.3"},{"last_affected":"3.9.3"},{"introduced":"3.9.4"},{"last_affected":"3.9.4"},{"introduced":"3.9.5"},{"last_affected":"3.9.5"},{"introduced":"3.9.6"},{"last_affected":"3.9.6"},{"introduced":"3.9.7"},{"last_affected":"3.9.7"},{"introduced":"3.9.8"},{"last_affected":"3.9.8"},{"introduced":"3.9.9"},{"last_affected":"3.9.9"},{"introduced":"3.9.12"},{"last_affected":"3.9.12"},{"introduced":"3.9.13"},{"last_affected":"3.9.13"}]}}],"versions":["2.2.5.4","2.7.1","2.7.2","2.7.3","2.7.4","2.7.4.1","2.7.4.11","2.7.4.12","2.7.4.13","2.7.4.2","2.7.4.3","2.7.4.4","2.7.4.5","2.7.4.6","2.7.4.7","2.7.4.8","2.7.4.9","3.6.1","3.6.2","3.6.3","3.6.4","3.6.5","3.6.6","3.6.7","3.9.1","3.9.12","3.9.13","3.9.2","3.9.3","3.9.4","3.9.5","3.9.6","3.9.7","3.9.8","3.9.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-4973.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/cloudfoundry/uaa-release","events":[{"introduced":"0"},{"last_affected":"8c5ccff535f9fb3b924a3d1c52f795b0f8242054"},{"introduced":"9e9bc18c684b92f99e5ff97b857729ebb657f993"},{"last_affected":"87308108195b925a3076185fdcb83bc4cea02471"}],"database_specific":{"cpe":["cpe:2.3:a:cloudfoundry:cloud_foundry_uaa_bosh:*:*:*:*:*:*:*:*","cpe:2.3:a:cloudfoundry:cloud_foundry_uaa_bosh:13.1:*:*:*:*:*:*:*","cpe:2.3:a:cloudfoundry:cloud_foundry_uaa_bosh:13.2:*:*:*:*:*:*:*","cpe:2.3:a:cloudfoundry:cloud_foundry_uaa_bosh:13.3:*:*:*:*:*:*:*","cpe:2.3:a:cloudfoundry:cloud_foundry_uaa_bosh:13.4:*:*:*:*:*:*:*","cpe:2.3:a:cloudfoundry:cloud_foundry_uaa_bosh:13.5:*:*:*:*:*:*:*","cpe:2.3:a:cloudfoundry:cloud_foundry_uaa_bosh:13.6:*:*:*:*:*:*:*","cpe:2.3:a:cloudfoundry:cloud_foundry_uaa_bosh:13.7:*:*:*:*:*:*:*","cpe:2.3:a:cloudfoundry:cloud_foundry_uaa_bosh:13.8:*:*:*:*:*:*:*","cpe:2.3:a:cloudfoundry:cloud_foundry_uaa_bosh:13.9:*:*:*:*:*:*:*","cpe:2.3:a:cloudfoundry:cloud_foundry_uaa_bosh:13.10:*:*:*:*:*:*:*","cpe:2.3:a:cloudfoundry:cloud_foundry_uaa_bosh:13.11:*:*:*:*:*:*:*","cpe:2.3:a:cloudfoundry:cloud_foundry_uaa_bosh:24:*:*:*:*:*:*:*","cpe:2.3:a:cloudfoundry:cloud_foundry_uaa_bosh:24.1:*:*:*:*:*:*:*","cpe:2.3:a:cloudfoundry:cloud_foundry_uaa_bosh:24.2:*:*:*:*:*:*:*","cpe:2.3:a:cloudfoundry:cloud_foundry_uaa_bosh:24.3:*:*:*:*:*:*:*","cpe:2.3:a:cloudfoundry:cloud_foundry_uaa_bosh:24.4:*:*:*:*:*:*:*","cpe:2.3:a:cloudfoundry:cloud_foundry_uaa_bosh:24.5:*:*:*:*:*:*:*","cpe:2.3:a:cloudfoundry:cloud_foundry_uaa_bosh:24.6:*:*:*:*:*:*:*","cpe:2.3:a:cloudfoundry:cloud_foundry_uaa_bosh:30.1:*:*:*:*:*:*:*","cpe:2.3:a:cloudfoundry:cloud_foundry_uaa_bosh:30.2:*:*:*:*:*:*:*","cpe:2.3:a:cloudfoundry:cloud_foundry_uaa_bosh:30.3:*:*:*:*:*:*:*"],"source":["CPE_RANGE","CPE_STRING"],"extracted_events":[{"introduced":"0"},{"last_affected":"30"},{"introduced":"13.1"},{"last_affected":"13.1"},{"introduced":"13.2"},{"last_affected":"13.2"},{"introduced":"13.3"},{"last_affected":"13.3"},{"introduced":"13.4"},{"last_affected":"13.4"},{"introduced":"13.5"},{"last_affected":"13.5"},{"introduced":"13.6"},{"last_affected":"13.6"},{"introduced":"13.7"},{"last_affected":"13.7"},{"introduced":"13.8"},{"last_affected":"13.8"},{"introduced":"13.9"},{"last_affected":"13.9"},{"introduced":"13.10"},{"last_affected":"13.10"},{"introduced":"13.11"},{"last_affected":"13.11"},{"introduced":"24"},{"last_affected":"24"},{"introduced":"24.1"},{"last_affected":"24.1"},{"introduced":"24.2"},{"last_affected":"24.2"},{"introduced":"24.3"},{"last_affected":"24.3"},{"introduced":"24.4"},{"last_affected":"24.4"},{"introduced":"24.5"},{"last_affected":"24.5"},{"introduced":"24.6"},{"last_affected":"24.6"},{"introduced":"30.1"},{"last_affected":"30.1"},{"introduced":"30.2"},{"last_affected":"30.2"},{"introduced":"30.3"},{"last_affected":"30.3"}]}}],"versions":["13.1","13.10","13.11","13.2","13.3","13.4","13.5","13.6","13.7","24","24.1","24.2","24.3","24.4","24.5","24.6","30.1","30.2","30.3","v30.3","v30.2","v30.1","v30","v27","v26","v24","v25","v23","v22","v21","v20","v19","v18","v17","v16","v15","v14","v12.3","ci-upgrade","v12","v11","v10","v9","v8","v7","v6","v3","v2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-4973.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}