Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-11270

Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' and create clients with arbitrary scopes that the creator does not possess.

Published

2019-08-05T17:15:10.820

Last Modified

2024-11-21T04:20:49.487

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-269
Type: Primary
CWE-732

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	pivotal_software	application_service	< 2.3.15	Yes
Application	pivotal_software	application_service	< 2.4.11	Yes
Application	pivotal_software	application_service	< 2.5.7	Yes
Application	pivotal_software	application_service	< 2.6.2	Yes
Application	pivotal_software	cloud_foundry_uaa	< 73.4.0	Yes
Application	pivotal_software	operations_manager	< 2.3.22	Yes
Application	pivotal_software	operations_manager	< 2.4.16	Yes
Application	pivotal_software	operations_manager	< 2.5.10	Yes
Application	pivotal_software	operations_manager	< 2.6.4	Yes

References

https://pivotal.io/security/cve-2019-11270 Vendor Advisory ([email protected])
https://www.cloudfoundry.org/blog/cve-2019-11270 Vendor Advisory ([email protected])
https://pivotal.io/security/cve-2019-11270 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.cloudfoundry.org/blog/cve-2019-11270 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)