CF UAA versions prior to 74.1.0 can request scopes for a client that shouldn't be allowed by submitting an array of requested scopes. A remote malicious user can escalate their own privileges to any scope, allowing them to take control of UAA and the resources it controls.
References
Link | Resource |
---|---|
https://www.cloudfoundry.org/blog/cve-2019-11279 | Vendor Advisory |
Configurations
Information
Published : 2019-09-26 15:15
Updated : 2020-10-04 19:05
NVD link : CVE-2019-11279
Mitre link : CVE-2019-11279
JSON object : View
CWE
Products Affected
cloudfoundry
- uaa_release