Cloud Foundry · Cloud Foundry Uaa · CVE-2019-3787
**Name of the Vulnerable Software and Affected Versions**
Cloud Foundry UAA versions prior to 73.0.0
**Description**
The issue allows for potential account takeover through password recovery emails sent to a potentially fraudulent address. When a user's email address is not provided and the username does not contain an @ character, the system appends "unknown.org" to the email address. Since "unknown.org" is held by a private company, this creates an attack vector.
**Recommendations**
For versions prior to 73.0.0, update to version 73.0.0 or later to resolve the issue.