CVE-2019-11279 — Command Injection in UAA Release

CWE-77 — Command Injection3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.4%

top 39.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cloudfoundry UAA Release Cloud Foundry UAA Release

Timeline

PublishedSep 26

Latest updateMay 24

Description

CF UAA versions prior to 74.1.0 can request scopes for a client that shouldn't be allowed by submitting an array of requested scopes. A remote malicious user can escalate their own privileges to any scope, allowing them to take control of UAA and the resources it controls.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDcloudfoundry/uaa_release< 74.1.0

▶CVEListV5cloud_foundry/uaa_releaseprior to 74.1.0

🔴Vulnerability Details

GHSA

GHSA-272q-hvx6-q97c: CF UAA versions prior to 74↗2022-05-24

▶

CVEList

Privilege Escalation via Scope Manipulation in UAA↗2019-09-26

▶