CVE-2019-11270 — Improper Privilege Management in Software Cloud Foundry UAA

CWE-269 — Improper Privilege Management CWE-732 — Incorrect Permission Assignment3 documents3 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 54.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pivotal Software Application Service Pivotal Software Cloud Foundry UAA Pivotal Software Operations Manager +1 more

Timeline

PublishedAug 5

Latest updateMay 24

Description

Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' and create clients with arbitrary scopes that the creator does not possess.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDpivotal_software/cloud_foundry_uaa< 73.4.0

▶CVEListV5cloud_foundry/uaa_releaseprior to v73.4.0

▶NVDpivotal_software/operations_manager2.3.0 — 2.3.22+3

▶NVDpivotal_software/application_service2.3.0 — 2.3.15+3

🔴Vulnerability Details

GHSA

GHSA-cgmm-ggpv-874w: Cloud Foundry UAA versions prior to v73↗2022-05-24

▶

CVEList

UAA clients.write vulnerability↗2019-08-05

▶