UAA defaults email address to an insecure domain
CVE-2019-3787

8.3HIGH

Key Information:

Vendor: Cloud Foundry
Status: Uaa Release (oss)
Vendor: CVE Published:; 19 June 2019

🔔 Create Cloud Foundry Vulnerability Alert

What is CVE-2019-3787?

Cloud Foundry UAA, versions prior to 73.0.0, falls back to appending “unknown.org” to a user's email address when one is not provided and the user name does not contain an @ character. This domain is held by a private company, which leads to attack vectors including password recovery emails sent to a potentially fraudulent address. This would allow the attacker to gain complete control of the user's account.

Affected Version(s)

UAA Release (OSS) All

References

https://www.cloudfoundry.org/blog/cve-2019-3787

x_refsource_CONFIRM

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

CVSS V3.0

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 19, 2019
Vulnerability Reserved
Jan 3, 2019

CVE-2019-3787 Data

JSON