CVE-2019-11275: CSV Injection in usage report downloaded from Pivotal Application Manager
First published: Tue Oct 01 2019(Updated: )
Pivotal Application Manager, versions 666.0.x prior to 666.0.36, versions 667.0.x prior to 667.0.22, versions 668.0.x prior to 668.0.21, versions 669.0.x prior to 669.0.13, and versions 670.0.x prior to 670.0.7, contain a vulnerability where a remote authenticated user can create an app with a name such that a csv program can interpret into a formula and gets executed. The malicious user can possibly gain access to a usage report that requires a higher privilege.
Credit: security@pivotal.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Pivotal Apps Manager | >=666.0.0<666.0.36 | |
| Pivotal Apps Manager | >=667.0.0<667.0.22 | |
| Pivotal Apps Manager | >=668.0.0<668.0.21 | |
| Pivotal Apps Manager | >=669.0.0<669.0.13 | |
| Pivotal Apps Manager | >=670.0.0<670.0.7 | |
| Pivotal Software Pivotal Application Service | >=2.3.0<=2.3.18 | |
| Pivotal Software Pivotal Application Service | >=2.4.0<=2.4.14 | |
| Pivotal Software Pivotal Application Service | >=2.5.0<=2.5.1 | |
| Pivotal Software Pivotal Application Service | >=2.6.0<=2.6.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2019-11275?
CVE-2019-11275 is a vulnerability in Pivotal Application Manager that allows a remote authenticated user to create an app with a malicious name.
Which versions of Pivotal Application Manager are affected by CVE-2019-11275?
Versions 666.0.x prior to 666.0.36, versions 667.0.x prior to 667.0.22, versions 668.0.x prior to 668.0.21, versions 669.0.x prior to 669.0.13, and versions 670.0.x prior to 670.0.7 of Pivotal Application Manager are affected.
What is the severity of CVE-2019-11275?
CVE-2019-11275 has a severity rating of medium with a score of 4.3.
How can a remote authenticated user exploit CVE-2019-11275?
A remote authenticated user can exploit CVE-2019-11275 by creating an app with a malicious name.
Where can I find more information about CVE-2019-11275?
You can find more information about CVE-2019-11275 at the following link: [CVE-2019-11275](https://pivotal.io/security/cve-2019-11275)
- collector/nvd-index
- agent/weakness
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- agent/title
- agent/author
- agent/severity
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/pivotal
- canonical/pivotal apps manager
- version/pivotal apps manager/666.0.0
- version/pivotal apps manager/667.0.0
- version/pivotal apps manager/668.0.0
- version/pivotal apps manager/669.0.0
- version/pivotal apps manager/670.0.0
- vendor/pivotal software
- canonical/pivotal software pivotal application service
- version/pivotal software pivotal application service/2.3.0
- version/pivotal software pivotal application service/2.3.18
- version/pivotal software pivotal application service/2.4.0
- version/pivotal software pivotal application service/2.4.14
- version/pivotal software pivotal application service/2.5.0
- version/pivotal software pivotal application service/2.5.1
- version/pivotal software pivotal application service/2.6.0
- version/pivotal software pivotal application service/2.6.5