gsd-2019-11270
Vulnerability from gsd
Modified
2023-12-13 01:24
Details
Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' and create clients with arbitrary scopes that the creator does not possess.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2019-11270",
"description": "Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the \u0027clients.write\u0027 authority or scope can bypass the restrictions imposed on clients created via \u0027clients.write\u0027 and create clients with arbitrary scopes that the creator does not possess.",
"id": "GSD-2019-11270"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2019-11270"
],
"details": "Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the \u0027clients.write\u0027 authority or scope can bypass the restrictions imposed on clients created via \u0027clients.write\u0027 and create clients with arbitrary scopes that the creator does not possess.",
"id": "GSD-2019-11270",
"modified": "2023-12-13T01:24:01.409699Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2019-08-01T00:00:00.000Z",
"ID": "CVE-2019-11270",
"STATE": "PUBLIC",
"TITLE": "UAA clients.write vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "UAA Release (OSS)",
"version": {
"version_data": [
{
"version_value": "prior to v73.4.0"
}
]
}
}
]
},
"vendor_name": "Cloud Foundry"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the \u0027clients.write\u0027 authority or scope can bypass the restrictions imposed on clients created via \u0027clients.write\u0027 and create clients with arbitrary scopes that the creator does not possess."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-269: Improper Privilege Management"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cloudfoundry.org/blog/cve-2019-11270",
"refsource": "CONFIRM",
"url": "https://www.cloudfoundry.org/blog/cve-2019-11270"
},
{
"name": "https://pivotal.io/security/cve-2019-11270",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2019-11270"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:pivotal_software:operations_manager:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.6.4",
"versionStartIncluding": "2.6.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:pivotal_software:operations_manager:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.4.16",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:pivotal_software:application_service:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.3.15",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:pivotal_software:operations_manager:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.3.22",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:pivotal_software:application_service:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.6.2",
"versionStartIncluding": "2.6.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:pivotal_software:application_service:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.5.7",
"versionStartIncluding": "2.5.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:pivotal_software:application_service:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.4.11",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:pivotal_software:cloud_foundry_uaa:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "73.4.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:pivotal_software:operations_manager:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.5.10",
"versionStartIncluding": "2.5.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"ID": "CVE-2019-11270"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the \u0027clients.write\u0027 authority or scope can bypass the restrictions imposed on clients created via \u0027clients.write\u0027 and create clients with arbitrary scopes that the creator does not possess."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pivotal.io/security/cve-2019-11270",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2019-11270"
},
{
"name": "https://www.cloudfoundry.org/blog/cve-2019-11270",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "https://www.cloudfoundry.org/blog/cve-2019-11270"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2020-10-02T14:01Z",
"publishedDate": "2019-08-05T17:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…