PT-2019-12217 · Cloud Foundry · Cloud Foundry Uaa

Yuval Avrahami

Published

2019-06-29

Updated

2020-10-02

CVE-2019-11268

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Cloud Foundry UAA versions prior to 73.3.0

Description The issue concerns improper escaping in certain endpoints, allowing an authenticated malicious user with basic read privileges for one identity zone to extend those privileges to all other identity zones. This enables the malicious user to obtain private information on users, clients, and groups in all other identity zones.

Recommendations For versions prior to 73.3.0, update to version 73.3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable endpoints to minimize the risk of exploitation. Additionally, limit the privileges of users with basic read access to prevent them from extending their access to other identity zones.

Fix

Information Disclosure

Improper Encoding or Escaping of Output

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-116

Related Identifiers

CVE-2019-11268

Affected Products

Cloud Foundry Uaa

PT-2019-12217 · Cloud Foundry · Cloud Foundry Uaa

CVE-2019-11268

Weakness Enumeration

Related Identifiers

Affected Products

References · 8