Lucene search

[email protected]CVE-2018-11081

HistoryOct 05, 2018 - 9:29 p.m.

CVE-2018-11081

2018-10-0521:29:00

[email protected]

web.nvd.nist.gov

cve-2018-11081

pivotal operations manager

operations manager uaa config

security vulnerability

nvd

data exposure

access control

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

72.0%

JSON

Pivotal Operations Manager, versions 2.2.x prior to 2.2.1, 2.1.x prior to 2.1.11, 2.0.x prior to 2.0.16, and 1.11.x prior to 2, fails to write the Operations Manager UAA config onto the temp RAM disk, thus exposing the configs directly onto disk. A remote user that has gained access to the Operations Manager VM, can now file search and find the UAA credentials for Operations Manager on the system disk…

Affected configurations

NVD

Node

pivotal_softwareoperations_managerRange1.11.0–1.12.25

pivotal_softwareoperations_managerRange2.0.0–2.0.16

pivotal_softwareoperations_managerRange2.1.0–2.1.11

pivotal_softwareoperations_managerRange2.2.0–2.2.1

CPENameOperatorVersion
pivotal_software:operations_managerpivotal software operations managerlt1.12.25
pivotal_software:operations_managerpivotal software operations managerlt2.0.16
pivotal_software:operations_managerpivotal software operations managerlt2.1.11
pivotal_software:operations_managerpivotal software operations managerlt2.2.1

CPE	Name	Operator	Version
pivotal_software:operations_manager	pivotal software operations manager	lt	1.12.25
pivotal_software:operations_manager	pivotal software operations manager	lt	2.0.16
pivotal_software:operations_manager	pivotal software operations manager	lt	2.1.11
pivotal_software:operations_manager	pivotal software operations manager	lt	2.2.1

CNA Affected

[
  {
    "product": "pivotal-ops-manager",
    "vendor": "Pivotal",
    "versions": [
      {
        "lessThanOrEqual": "2",
        "status": "affected",
        "version": "1.11.x",
        "versionType": "custom"
      },
      {
        "lessThan": "2.0.16",
        "status": "affected",
        "version": "2.0.x",
        "versionType": "custom"
      },
      {
        "lessThan": "2.1.11",
        "status": "affected",
        "version": "2.1.x",
        "versionType": "custom"
      },
      {
        "lessThan": "2.2.1",
        "status": "affected",
        "version": "2.2.x",
        "versionType": "custom"
      }
    ]
  }
]

References

pivotal.io/security/cve-2018-11081

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

72.0%

JSON

Related for CVE-2018-11081

prion1 nvd1 cvelist1