PT-2019-12227 · Pivotal · Pivotal Application Service+1
Published
2019-09-20
·
Updated
2019-10-09
·
CVE-2019-11280
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Pivotal Application Service versions 2.3.x through 2.3.17
Pivotal Application Service versions 2.4.x through 2.4.13
Pivotal Application Service versions 2.5.x through 2.5.9
Pivotal Application Service versions 2.6.x through 2.6.4
Description
The issue concerns the invitations microservice in Pivotal Apps Manager, which is part of Pivotal Application Service. This microservice allows users to invite others to their organizations. However, a remote authenticated user can exploit this feature to gain additional privileges by inviting themselves to spaces they should not have access to.
Recommendations
For versions 2.3.x through 2.3.17, update to version 2.3.18 or later.
For versions 2.4.x through 2.4.13, update to version 2.4.14 or later.
For versions 2.5.x through 2.5.9, update to version 2.5.10 or later.
For versions 2.6.x through 2.6.4, update to version 2.6.5 or later.
Fix
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pivotal Application Service
Pivotal Apps Manager