CVE-2019-11278

Name of the Vulnerable Software and Affected Versions CF UAA versions prior to 74.1.0

Description The issue allows a remote malicious user with 'client.write' and 'groups.update' permissions to craft a SCIM query, which leaks information that enables an escalation of privileges. This ultimately allows the malicious user to gain control of UAA scopes they should not have.

Recommendations For CF UAA versions prior to 74.1.0, update to version 74.1.0 or later to resolve the issue. As a temporary workaround, consider restricting the 'client.write' and 'groups.update' permissions to minimize the risk of exploitation.