CVE-2019-11279 HIGH

CVE-2019-11279: Privilege Escalation via Scope Manipulation in UAA

Vendor Cloud Foundry
Product UAA Release (OSS)
Weakness CWE-77
Published September 26, 2019
Last update September 17, 2024

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

CF UAA versions prior to 74.1.0 can request scopes for a client that shouldn't be allowed by submitting an array of requested scopes. A remote malicious user can escalate their own privileges to any scope, allowing them to take control of UAA and the resources it controls.

Key dates

02Disclosure timeline

September 26, 2019 CVE published
September 17, 2024 Record updated