CVE-2019-11270
EUVD-2019-295905.08.2019, 17:15
Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' and create clients with arbitrary scopes that the creator does not possess.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| pivotal_software | application_service | 2.3.0 ≤ 𝑥 < 2.3.15 |
| pivotal_software | application_service | 2.4.0 ≤ 𝑥 < 2.4.11 |
| pivotal_software | application_service | 2.5.0 ≤ 𝑥 < 2.5.7 |
| pivotal_software | application_service | 2.6.0 ≤ 𝑥 < 2.6.2 |
| pivotal_software | cloud_foundry_uaa | 𝑥 < 73.4.0 |
| pivotal_software | operations_manager | 2.3.0 ≤ 𝑥 < 2.3.22 |
| pivotal_software | operations_manager | 2.4.0 ≤ 𝑥 < 2.4.16 |
| pivotal_software | operations_manager | 2.5.0 ≤ 𝑥 < 2.5.10 |
| pivotal_software | operations_manager | 2.6.0 ≤ 𝑥 < 2.6.4 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-269 - Improper Privilege ManagementThe software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
- CWE-732 - Incorrect Permission Assignment for Critical ResourceThe product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.