CVE-2019-11278 — HIGH (8.8)

Q: How severe is CVE-2019-11278?

CVE-2019-11278 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-11278?

Check the references section above for vendor advisories and patch information. Affected products include: Cloudfoundry User Account And Authentication.

Vulnerability Description

CF UAA versions prior to 74.1.0, allow external input to be directly queried against. A remote malicious user with 'client.write' and 'groups.update' can craft a SCIM query, which leaks information that allows an escalation of privileges, ultimately allowing the malicious user to gain control of UAA scopes they should not have.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Cloudfoundry	User Account And Authentication	< 74.1.0

Related Weaknesses (CWE)

CWE-77

References

https://www.cloudfoundry.org/blog/cve-2019-11278Vendor Advisory
https://www.cloudfoundry.org/blog/cve-2019-11278Vendor Advisory

FAQ

What is CVE-2019-11278?

CVE-2019-11278 is a vulnerability with a CVSS score of 8.8 (HIGH). CF UAA versions prior to 74.1.0, allow external input to be directly queried against. A remote malicious user with 'client.write' and 'groups.update' can craft a SCIM query, which leaks information th...

How severe is CVE-2019-11278?

CVE-2019-11278 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-11278?

Check the references section above for vendor advisories and patch information. Affected products include: Cloudfoundry User Account And Authentication.