CVE-2019-11280

Summary

Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.18, 2.4.x prior to 2.4.14, 2.5.x prior to 2.5.10, and 2.6.x prior to 2.6.5, contains an invitations microservice which allows users to invite others to their organizations. A remote authenticated user can gain additional privileges by inviting themselves to spaces that they should not have access to.

Affected Software

VendorProductVersion RangeStatus
PivotalPivotal Application Service (PAS)2.3.x prior to 2.3.18affected
PivotalPivotal Application Service (PAS)2.4.x prior to 2.4.14affected
PivotalPivotal Application Service (PAS)2.5.x prior to 2.5.10affected
PivotalPivotal Application Service (PAS)2.6.x prior to 2.6.5affected

Weaknesses

  • CWE-269: CWE-269: Improper Privilege Management

ADP Enrichment

CVE Program Container

Additional References

References