Pivotal Application Manager up to 670.0.6 CSV permission assignment

Summaryinfo

A vulnerability classified as critical was found in Pivotal Application Manager up to 666.0.35/677.0.21/668.0.20/669.0.12/670.0.6. This vulnerability affects unknown code of the component CSV Handler. Such manipulation as part of Application leads to permission assignment. This vulnerability is uniquely identified as CVE-2019-11275. The attack can be launched remotely. No exploit exists. Upgrading the affected component is advised.

Detailsinfo

A vulnerability was found in Pivotal Application Manager up to 666.0.35/677.0.21/668.0.20/669.0.12/670.0.6 and classified as critical. Affected by this issue is an unknown function of the component CSV Handler. The manipulation as part of a Application leads to a permission assignment vulnerability. Using CWE to declare the problem leads to CWE-732. The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. Impacted is confidentiality, integrity, and availability. CVE summarizes:

Pivotal Application Manager, versions 666.0.x prior to 666.0.36, versions 667.0.x prior to 667.0.22, versions 668.0.x prior to 668.0.21, versions 669.0.x prior to 669.0.13, and versions 670.0.x prior to 670.0.7, contain a vulnerability where a remote authenticated user can create an app with a name such that a csv program can interpret into a formula and gets executed. The malicious user can possibly gain access to a usage report that requires a higher privilege.

The weakness was disclosed 10/01/2019 (Website). The advisory is shared for download at pivotal.io. This vulnerability is handled as CVE-2019-11275 since 04/18/2019. The attack may be launched remotely. The successful exploitation requires a simple authentication. There are neither technical details nor an exploit publicly available.

Upgrading to version 666.0.36, 677.0.22, 668.0.21, 669.0.13 or 670.0.7 eliminates this vulnerability.

Once again VulDB remains the best source for vulnerability data.

Productinfo

Vendor

• Pivotal

Name

• Application Manager

Version

• 666.0.0
• 666.0.1
• 666.0.2
• 666.0.3
• 666.0.4
• 666.0.5
• 666.0.6
• 666.0.7
• 666.0.8
• 666.0.9
• 666.0.10
• 666.0.11
• 666.0.12
• 666.0.13
• 666.0.14
• 666.0.15
• 666.0.16
• 666.0.17
• 666.0.18
• 666.0.19
• 666.0.20
• 666.0.21
• 666.0.22
• 666.0.23
• 666.0.24
• 666.0.25
• 666.0.26
• 666.0.27
• 666.0.28
• 666.0.29
• 666.0.30
• 666.0.31
• 666.0.32
• 666.0.33
• 666.0.34
• 666.0.35
• 668.0.0
• 668.0.1
• 668.0.2
• 668.0.3
• 668.0.4
• 668.0.5
• 668.0.6
• 668.0.7
• 668.0.8
• 668.0.9
• 668.0.10
• 668.0.11
• 668.0.12
• 668.0.13
• 668.0.14
• 668.0.15
• 668.0.16
• 668.0.17
• 668.0.18
• 668.0.19
• 668.0.20
• 669.0.0
• 669.0.1
• 669.0.2
• 669.0.3
• 669.0.4
• 669.0.5
• 669.0.6
• 669.0.7
• 669.0.8
• 669.0.9
• 669.0.10
• 669.0.11
• 669.0.12
• 670.0.0
• 670.0.1
• 670.0.2
• 670.0.3
• 670.0.4
• 670.0.5
• 670.0.6
• 677.0.0
• 677.0.1
• 677.0.2
• 677.0.3
• 677.0.4
• 677.0.5
• 677.0.6
• 677.0.7
• 677.0.8
• 677.0.9
• 677.0.10
• 677.0.11
• 677.0.12
• 677.0.13
• 677.0.14
• 677.0.15
• 677.0.16
• 677.0.17
• 677.0.18
• 677.0.19
• 677.0.20
• 677.0.21

License

• commercial

Website

• Vendor: https://pivotal.io/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion