Privilege Escalation via Blind SCIM Injection in UAA
CVE-2019-11278

8.7HIGH

Key Information:

Vendor: Cloud Foundry
Status: Uaa Release (oss)
Vendor: CVE Published:; 26 September 2019

🔔 Create Cloud Foundry Vulnerability Alert

What is CVE-2019-11278?

CF UAA versions prior to 74.1.0, allow external input to be directly queried against. A remote malicious user with 'client.write' and 'groups.update' can craft a SCIM query, which leaks information that allows an escalation of privileges, ultimately allowing the malicious user to gain control of UAA scopes they should not have.

Affected Version(s)

UAA Release (OSS) prior to 74.1.0

References

https://www.cloudfoundry.org/blog/cve-2019-11278

x_refsource_CONFIRM

CVSS V3.1

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

CVSS V3.0

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 26, 2019
Vulnerability Reserved
Apr 18, 2019

CVE-2019-11278 Data

JSON