CVE-2019-11278 HIGH

CVE-2019-11278: Privilege Escalation via Blind SCIM Injection in UAA

Vendor Cloud Foundry
Product UAA Release (OSS)
Weakness CWE-77
Published September 26, 2019
Last update September 16, 2024

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

CF UAA versions prior to 74.1.0, allow external input to be directly queried against. A remote malicious user with 'client.write' and 'groups.update' can craft a SCIM query, which leaks information that allows an escalation of privileges, ultimately allowing the malicious user to gain control of UAA scopes they should not have.

Key dates

02Disclosure timeline

September 26, 2019 CVE published
September 16, 2024 Record updated