CVE-2019-11282

Cloud Foundry UAA, versions prior to v74.3.0, contains an endpoint that is vulnerable to SCIM injection attack. A remote authenticated malicious user with scim.invite scope can craft a request with malicious content which can leak information about users of the UAA.

CVSS v3 4.3 MEDIUM
CVSS v2.0 4.0 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://www.cloudfoundry.org/blog/cve-2019-11282	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:cloudfoundry:cf-deployment:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:pivotal_software:cloud_foundry_uaa:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-10-23 16:15

Updated : 2021-08-17 14:29

NVD link : CVE-2019-11282

Mitre link : CVE-2019-11282

CVE.ORG link : CVE-2019-11282

JSON object : View

Products Affected

cloudfoundry

cf-deployment

pivotal_software

cloud_foundry_uaa

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2019-11282", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "security@pivotal.io", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2019-10-23T16:15:11.480", "references": [{"url": "https://www.cloudfoundry.org/blog/cve-2019-11282", "tags": ["Vendor Advisory"], "source": "security@pivotal.io"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-74"}]}, {"type": "Secondary", "source": "security@pivotal.io", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Cloud Foundry UAA, versions prior to v74.3.0, contains an endpoint that is vulnerable to SCIM injection attack. A remote authenticated malicious user with scim.invite scope can craft a request with malicious content which can leak information about users of the UAA."}, {"lang": "es", "value": "Cloud Foundry UAA, versiones anteriores a v74.3.0, contiene un endpoint que es vulnerable al ataque de inyecci\u00f3n SCIM. Un usuario malicioso autenticado remoto con alcance de scim.invite puede dise\u00f1ar una petici\u00f3n con contenido malicioso que puede filtrar informaci\u00f3n sobre los usuarios de la UAA."}], "lastModified": "2021-08-17T14:29:23.840", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cloudfoundry:cf-deployment:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "32F2903C-37BF-4B89-BA89-664986DC9F8B", "versionEndExcluding": "12.2.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_uaa:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B51B0992-4C07-4D95-B52A-3D5F4650C594", "versionEndExcluding": "74.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@pivotal.io"}