Vulnerability Description
Cloud Foundry Cloud Controller API Release, versions prior to 1.79.0, contains improper authentication when validating user permissions. A remote authenticated malicious user with the ability to create UAA clients and knowledge of the email of a victim in the foundation may escalate their privileges to that of the victim by creating a client with a name equal to the guid of their victim.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cloudfoundry | Capi-Release | < 1.79.0 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/108095Third Party AdvisoryVDB Entry
- https://www.cloudfoundry.org/blog/cve-2019-3798Vendor Advisory
- http://www.securityfocus.com/bid/108095Third Party AdvisoryVDB Entry
- https://www.cloudfoundry.org/blog/cve-2019-3798Vendor Advisory
FAQ
What is CVE-2019-3798?
CVE-2019-3798 is a vulnerability with a CVSS score of 6.0 (MEDIUM). Cloud Foundry Cloud Controller API Release, versions prior to 1.79.0, contains improper authentication when validating user permissions. A remote authenticated malicious user with the ability to creat...
How severe is CVE-2019-3798?
CVE-2019-3798 has been rated MEDIUM with a CVSS base score of 6.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-3798?
Check the references section above for vendor advisories and patch information. Affected products include: Cloudfoundry Capi-Release.