Lucene search

[email protected]CVE-2019-11282

HistoryOct 23, 2019 - 4:15 p.m.

CVE-2019-11282

2019-10-2316:15:11

CWE-74

CWE-200

[email protected]

web.nvd.nist.gov

cloud foundry

uaa

cve-2019-11282

scim injection

information leak

security vulnerability

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4.3 Medium

AI Score

Confidence

High

4 Medium

CVSS2

Access Vector

Access Complexity

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

34.3%

JSON

Cloud Foundry UAA, versions prior to v74.3.0, contains an endpoint that is vulnerable to SCIM injection attack. A remote authenticated malicious user with scim.invite scope can craft a request with malicious content which can leak information about users of the UAA.

Affected configurations

NVD

Node

cloudfoundrycf-deploymentRange<12.2.0

Node

pivotal_softwarecloud_foundry_uaaRange<74.3.0

CPENameOperatorVersion
cloudfoundry:cf-deploymentcloudfoundry cf-deploymentlt12.2.0

CPE	Name	Operator	Version
cloudfoundry:cf-deployment	cloudfoundry cf-deployment	lt	12.2.0

CNA Affected

[
  {
    "product": "UAA Release",
    "vendor": "Cloud Foundry",
    "versions": [
      {
        "lessThan": "v74.3.0",
        "status": "affected",
        "version": "All",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "CF Deployment",
    "vendor": "Cloud Foundry",
    "versions": [
      {
        "lessThan": "v12.2.0",
        "status": "affected",
        "version": "All",
        "versionType": "custom"
      }
    ]
  }
]