CVE-2019-11293

Name of the Vulnerable Software and Affected Versions Cloud Foundry UAA Release versions prior to 74.10.0

Description The issue allows a remote authenticated malicious user to gain access to user credentials via the uaa.log file if authentication is provided via query parameters, when the logging level is set to DEBUG. This occurs because client secret credentials are logged when sent as a query parameter.

Recommendations For versions prior to 74.10.0, update to version 74.10.0 or later to resolve the issue. As a temporary workaround, consider setting the logging level to a value other than DEBUG to prevent the logging of client secret credentials. Restrict access to the uaa.log file to minimize the risk of exploitation. Avoid using query parameters for authentication until the issue is resolved.