Vulnerability Description
Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' and create clients with arbitrary scopes that the creator does not possess.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pivotal Software | Application Service | >= 2.3.0, < 2.3.15 |
| Pivotal Software | Cloud Foundry Uaa | < 73.4.0 |
| Pivotal Software | Operations Manager | >= 2.3.0, < 2.3.22 |
Related Weaknesses (CWE)
References
- https://pivotal.io/security/cve-2019-11270Vendor Advisory
- https://www.cloudfoundry.org/blog/cve-2019-11270Vendor Advisory
- https://pivotal.io/security/cve-2019-11270Vendor Advisory
- https://www.cloudfoundry.org/blog/cve-2019-11270Vendor Advisory
FAQ
What is CVE-2019-11270?
CVE-2019-11270 is a vulnerability with a CVSS score of 7.5 (HIGH). Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created vi...
How severe is CVE-2019-11270?
CVE-2019-11270 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-11270?
Check the references section above for vendor advisories and patch information. Affected products include: Pivotal Software Application Service, Pivotal Software Cloud Foundry Uaa, Pivotal Software Operations Manager.