CVE-2019-11290 — Log File Information Exposure in Foundry UAA Release

CWE-532 — Log File Information Exposure3 documents3 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 36.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cloud Foundry UAA Release Cloudfoundry Cf-deployment Cloudfoundry User Account AND Authentication

Timeline

PublishedNov 26

Latest updateMay 24

Description

Cloud Foundry UAA Release, versions prior to v74.8.0, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5cloud_foundry/uaa_releaseAll — v74.8.0

▶NVDcloudfoundry/user_account_and_authentication< 74.8.0

▶NVDcloudfoundry/cf-deployment< 12.10.0

🔴Vulnerability Details

GHSA

GHSA-gv3c-929j-rc7p: Cloud Foundry UAA Release, versions prior to v74↗2022-05-24

▶

CVEList

Cloud Foundry UAA logs query parameters in tomcat access file↗2019-11-25

▶