fkie_cve-2019-11270
Vulnerability from fkie_nvd
Published
2019-08-05 17:15
Modified
2024-11-21 04:20
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' and create clients with arbitrary scopes that the creator does not possess.
References
security@pivotal.iohttps://pivotal.io/security/cve-2019-11270Vendor Advisory
security@pivotal.iohttps://www.cloudfoundry.org/blog/cve-2019-11270Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://pivotal.io/security/cve-2019-11270Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.cloudfoundry.org/blog/cve-2019-11270Vendor Advisory
Impacted products
Vendor Product Version
pivotal_software application_service *
pivotal_software application_service *
pivotal_software application_service *
pivotal_software application_service *
pivotal_software cloud_foundry_uaa *
pivotal_software operations_manager *
pivotal_software operations_manager *
pivotal_software operations_manager *
pivotal_software operations_manager *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:pivotal_software:application_service:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EA028AB4-A389-41D4-997B-23DD70DC3025",
              "versionEndExcluding": "2.3.15",
              "versionStartIncluding": "2.3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:application_service:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9103B5F4-870C-4629-871D-25DB2C96E6C6",
              "versionEndExcluding": "2.4.11",
              "versionStartIncluding": "2.4.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:application_service:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EF7BA0B1-9C33-42F1-8ACA-6AE2EAC13F5B",
              "versionEndExcluding": "2.5.7",
              "versionStartIncluding": "2.5.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:application_service:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C687BD70-0109-4798-9B9D-C7BD35D601D5",
              "versionEndExcluding": "2.6.2",
              "versionStartIncluding": "2.6.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_uaa:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9D95746D-026A-4B5A-BEDF-3218F10AF7F0",
              "versionEndExcluding": "73.4.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:operations_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AA8501AB-24B2-4A92-AEDD-2EE7CD852DB5",
              "versionEndExcluding": "2.3.22",
              "versionStartIncluding": "2.3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:operations_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CB30A404-6A76-4226-A224-12B6A8131A38",
              "versionEndExcluding": "2.4.16",
              "versionStartIncluding": "2.4.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:operations_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6F0C15A4-76D8-4740-B5F6-70607C83A5DA",
              "versionEndExcluding": "2.5.10",
              "versionStartIncluding": "2.5.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:operations_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F0AF17FF-40DC-4FC6-B89B-4AE8C1372FD8",
              "versionEndExcluding": "2.6.4",
              "versionStartIncluding": "2.6.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the \u0027clients.write\u0027 authority or scope can bypass the restrictions imposed on clients created via \u0027clients.write\u0027 and create clients with arbitrary scopes that the creator does not possess."
    },
    {
      "lang": "es",
      "value": "Cloud Foundry UAA versiones anteriores a v73.4.0, contienen una vulnerabilidad en la que un cliente malicioso bajo posesi\u00f3n de la autoridad o el alcance \"clients.write\" puede omitir las restricciones impuestas a los clientes creados por medio de \"clients.write\" y crear clientes con alcances arbitrarios que no poseen."
    }
  ],
  "id": "CVE-2019-11270",
  "lastModified": "2024-11-21T04:20:49.487",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 1.0,
        "impactScore": 5.8,
        "source": "security@pivotal.io",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-08-05T17:15:10.820",
  "references": [
    {
      "source": "security@pivotal.io",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://pivotal.io/security/cve-2019-11270"
    },
    {
      "source": "security@pivotal.io",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.cloudfoundry.org/blog/cve-2019-11270"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://pivotal.io/security/cve-2019-11270"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.cloudfoundry.org/blog/cve-2019-11270"
    }
  ],
  "sourceIdentifier": "security@pivotal.io",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-269"
        }
      ],
      "source": "security@pivotal.io",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-732"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.