CF UAA versions prior to 74.1.0, allow external input to be directly queried against. A remote malicious user with 'client.write' and 'groups.update' can craft a SCIM query, which leaks information that allows an escalation of privileges, ultimately allowing the malicious user to gain control of UAA scopes they should not have.
References
Link | Resource |
---|---|
https://www.cloudfoundry.org/blog/cve-2019-11278 | Vendor Advisory |
Configurations
Information
Published : 2019-09-26 14:15
Updated : 2020-10-04 19:06
NVD link : CVE-2019-11278
Mitre link : CVE-2019-11278
JSON object : View
CWE
Products Affected
cloudfoundry
- user_account_and_authentication