Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-11280

Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.18, 2.4.x prior to 2.4.14, 2.5.x prior to 2.5.10, and 2.6.x prior to 2.6.5, contains an invitations microservice which allows users to invite others to their organizations. A remote authenticated user can gain additional privileges by inviting themselves to spaces that they should not have access to.

Published

2019-09-20T19:15:11.407

Last Modified

2024-11-21T04:20:50.590

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.8 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.0

Impact Score

6.4

Weaknesses

Type: Secondary
CWE-269
Type: Primary
CWE-269

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	pivotal_software	pivotal_application_service	< 2.3.18	Yes
Application	pivotal_software	pivotal_application_service	< 2.4.14	Yes
Application	pivotal_software	pivotal_application_service	< 2.5.10	Yes
Application	pivotal_software	pivotal_application_service	< 2.6.5	Yes

References

https://pivotal.io/security/cve-2019-11280 Vendor Advisory ([email protected])
https://pivotal.io/security/cve-2019-11280 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)