CVE-2019-11278 — Command Injection in User Account AND Authentication

CWE-77 — Command Injection3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.4%

top 42.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cloudfoundry User Account AND Authentication Cloud Foundry UAA Release

Timeline

PublishedSep 26

Latest updateMay 24

Description

CF UAA versions prior to 74.1.0, allow external input to be directly queried against. A remote malicious user with 'client.write' and 'groups.update' can craft a SCIM query, which leaks information that allows an escalation of privileges, ultimately allowing the malicious user to gain control of UAA scopes they should not have.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDcloudfoundry/user_account_and_authentication< 74.1.0

▶CVEListV5cloud_foundry/uaa_releaseprior to 74.1.0

🔴Vulnerability Details

GHSA

GHSA-6c72-gqp5-jh4r: CF UAA versions prior to 74↗2022-05-24

▶

CVEList

Privilege Escalation via Blind SCIM Injection in UAA↗2019-09-26

▶