CVE-2019-11270: UAA clients.write vulnerability
First published: Mon Aug 05 2019(Updated: )
Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' and create clients with arbitrary scopes that the creator does not possess.
Credit: security@pivotal.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Pivotal Application Service | >=2.3.0<2.3.15 | |
| Pivotal Application Service | >=2.4.0<2.4.11 | |
| Pivotal Application Service | >=2.5.0<2.5.7 | |
| Pivotal Application Service | >=2.6.0<2.6.2 | |
| Cloud Foundry UAA | <73.4.0 | |
| Pivotal Operations Manager | >=2.3.0<2.3.22 | |
| Pivotal Operations Manager | >=2.4.0<2.4.16 | |
| Pivotal Operations Manager | >=2.5.0<2.5.10 | |
| Pivotal Operations Manager | >=2.6.0<2.6.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2019-11270?
CVE-2019-11270 is a vulnerability in Cloud Foundry UAA versions prior to v73.4.0 that allows a malicious client to bypass client restrictions and create clients with arbitrary scopes.
What is the severity of CVE-2019-11270?
The severity of CVE-2019-11270 is high with a CVSS score of 7.5.
Which software versions are affected by CVE-2019-11270?
Cloud Foundry UAA versions prior to v73.4.0, including Pivotal Software Application Service versions 2.3.0 to 2.3.15, 2.4.0 to 2.4.11, 2.5.0 to 2.5.7, and 2.6.0 to 2.6.2, as well as Pivotal Software Operations Manager versions 2.3.0 to 2.3.22, 2.4.0 to 2.4.16, 2.5.0 to 2.5.10, and 2.6.0 to 2.6.4 are affected.
How can a malicious client exploit CVE-2019-11270?
A malicious client with the 'clients.write' authority or scope can exploit CVE-2019-11270 to bypass restrictions and create clients with arbitrary scopes.
Where can I find more information about CVE-2019-11270?
More information about CVE-2019-11270 can be found at the following references: [Link 1](https://pivotal.io/security/cve-2019-11270) and [Link 2](https://www.cloudfoundry.org/blog/cve-2019-11270).
- agent/weakness
- agent/references
- agent/type
- agent/title
- agent/author
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/pivotal software
- canonical/pivotal application service
- version/pivotal application service/2.3.0
- version/pivotal application service/2.4.0
- version/pivotal application service/2.5.0
- version/pivotal application service/2.6.0
- canonical/cloud foundry uaa
- canonical/pivotal operations manager
- version/pivotal operations manager/2.3.0
- version/pivotal operations manager/2.4.0
- version/pivotal operations manager/2.5.0
- version/pivotal operations manager/2.6.0