CVE-2019-3787

Name of the Vulnerable Software and Affected Versions Cloud Foundry UAA versions prior to 73.0.0

Description The issue allows for potential account takeover through password recovery emails sent to a potentially fraudulent address. When a user's email address is not provided and the username does not contain an @ character, the system appends "unknown.org" to the email address. Since "unknown.org" is held by a private company, this creates an attack vector.

Recommendations For versions prior to 73.0.0, update to version 73.0.0 or later to resolve the issue.