Privilege Escalation via Scope Manipulation in UAA
CVE-2019-11279

8.7HIGH

Key Information:

Vendor: Cloud Foundry
Status: Uaa Release (oss)
Vendor: CVE Published:; 26 September 2019

🔔 Create Cloud Foundry Vulnerability Alert

What is CVE-2019-11279?

CF UAA versions prior to 74.1.0 can request scopes for a client that shouldn't be allowed by submitting an array of requested scopes. A remote malicious user can escalate their own privileges to any scope, allowing them to take control of UAA and the resources it controls.

Affected Version(s)

UAA Release (OSS) prior to 74.1.0

References

https://www.cloudfoundry.org/blog/cve-2019-11279

x_refsource_CONFIRM

CVSS V3.1

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

CVSS V3.0

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 26, 2019
Vulnerability Reserved
Apr 18, 2019

CVE-2019-11279 Data

JSON