CVE-2019-11293 — Log File Information Exposure in Foundry UAA Release

CWE-532 — Log File Information Exposure3 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.5%

top 32.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cloud Foundry UAA Release Cloudfoundry Cf-deployment Cloudfoundry User Account AND Authentication

Timeline

PublishedDec 6

Latest updateMay 24

Description

Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs client_secret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if authentication is provided via query parameters.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDcloudfoundry/user_account_and_authentication< 74.10.0

▶CVEListV5cloud_foundry/uaa_releaseAll — v74.10.0

▶NVDcloudfoundry/cf-deployment< 12.12.0

🔴Vulnerability Details

GHSA

GHSA-75vm-6gpr-f398: Cloud Foundry UAA Release, versions prior to v74↗2022-05-24

▶

CVEList

UAA logs all query parameters with debug logging level↗2019-12-06

▶