CVE-2019-11280 — Improper Privilege Management in Software Pivotal Application Service

CWE-269 — Improper Privilege Management3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.6%

top 31.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pivotal Software Pivotal Application Service Pivotal Application Service

Timeline

PublishedSep 20

Latest updateMay 24

Description

Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.18, 2.4.x prior to 2.4.14, 2.5.x prior to 2.5.10, and 2.6.x prior to 2.6.5, contains an invitations microservice which allows users to invite others to their organizations. A remote authenticated user can gain additional privileges by inviting themselves to spaces that they should not have access to.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDpivotal_software/pivotal_application_service2.3.0 — 2.3.18+3

▶CVEListV5pivotal/pivotal_application_service4 versions+3

🔴Vulnerability Details

GHSA

GHSA-3882-vm2r-v25j: Pivotal Apps Manager, included in Pivotal Application Service versions 2↗2022-05-24

▶

CVEList

Privilege escalation through the invitations service↗2019-09-20

▶