CVE-2019-11279: Privilege Escalation via Scope Manipulation in UAA
First published: Tue Sep 10 2019(Updated: )
CF UAA versions prior to 74.1.0 can request scopes for a client that shouldn't be allowed by submitting an array of requested scopes. A remote malicious user can escalate their own privileges to any scope, allowing them to take control of UAA and the resources it controls.
Credit: security@pivotal.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cloudfoundry Uaa Release | <74.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this security issue?
The vulnerability ID for this security issue is CVE-2019-11279.
What is the severity level of CVE-2019-11279?
CVE-2019-11279 has a severity level of high.
What is the affected software for CVE-2019-11279?
The affected software for CVE-2019-11279 is Cloudfoundry Uaa Release versions up to but not including 74.1.0.
How can a remote malicious user exploit CVE-2019-11279?
A remote malicious user can exploit CVE-2019-11279 by submitting an array of requested scopes, allowing them to escalate their privileges and take control of UAA and the resources it controls.
Is there a fix available for CVE-2019-11279?
Yes, a fix is available for CVE-2019-11279. Users should update to version 74.1.0 or later of Cloudfoundry Uaa Release.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- agent/weakness
- agent/title
- agent/author
- agent/severity
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/cloudfoundry
- canonical/cloudfoundry uaa release