CVE-2019-3775 — Authentication Bypass by Spoofing in Foundry UAA Release

CWE-290 — Authentication Bypass by Spoofing CWE-287 — Improper Authentication5 documents4 sources

Severity

6.5MEDIUMNVD

CNA7.1

EPSS

0.1%

top 67.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cloud Foundry UAA Release Cloudfoundry UAA Release

Timeline

PublishedMar 7

Latest updateMay 13

Description

Cloud Foundry UAA, versions prior to v70.0, allows a user to update their own email address. A remote authenticated user can impersonate a different user by changing their email address to that of a different user.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDcloudfoundry/uaa_release< 70.0

▶CVEListV5cloud_foundry/uaa_releaseAll — v70.0

🔴Vulnerability Details

GHSA

GHSA-hwg9-rc2h-c2p3: Cloud Foundry UAA, versions prior to v70↗2022-05-13

▶

CVEList

UAA allows users to modify their own email address↗2019-03-07

▶

💬Community

Bugzilla

CVE-2019-13721 chromium-browser: use-after-free in PDFium↗2019-11-04

▶

Bugzilla

CVE-2019-13720 chromium-browser: use-after-free in audio↗2019-11-04

▶