CVE-2019-11279

Summary

CF UAA versions prior to 74.1.0 can request scopes for a client that shouldn't be allowed by submitting an array of requested scopes. A remote malicious user can escalate their own privileges to any scope, allowing them to take control of UAA and the resources it controls.

Affected Software

VendorProductVersion RangeStatus
Cloud FoundryUAA Release (OSS)prior to 74.1.0affected

Weaknesses

  • CWE-77: CWE-77: Command Injection - Generic

ADP Enrichment

CVE Program Container

Additional References

References