A vulnerability, which was classified as critical, has been found in Cloud Foundry UAA up to 74.0.x (Cloud Software). This issue affects an unknown function of the component Scope Handler. The manipulation as part of a Request leads to a privileges management vulnerability. Using CWE to declare the problem leads to CWE-269. The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

CF UAA versions prior to 74.1.0 can request scopes for a client that shouldn't be allowed by submitting an array of requested scopes. A remote malicious user can escalate their own privileges to any scope, allowing them to take control of UAA and the resources it controls.

The weakness was presented 09/26/2019 (Website). The advisory is shared at cloudfoundry.org. The identification of this vulnerability is CVE-2019-11279 since 04/18/2019. The exploitation is known to be easy. The attack may be initiated remotely. The successful exploitation requires a simple authentication. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1068 for this issue.

Upgrading to version 74.1.0 eliminates this vulnerability.

See VDB-142372 for similar entry. If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Type

• Cloud Software

Vendor

• Cloud Foundry

Name

• UAA

Version

• 74.0

License

• free

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion