CVE-2019-11280 HIGH

CVE-2019-11280: Privilege escalation through the invitations service

Vendor Pivotal

Product Pivotal Application Service (PAS)

Weakness CWE-269

Published September 20, 2019

Last update September 16, 2024

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.18, 2.4.x prior to 2.4.14, 2.5.x prior to 2.5.10, and 2.6.x prior to 2.6.5, contains an invitations microservice which allows users to invite others to their organizations. A remote authenticated user can gain additional privileges by inviting themselves to spaces that they should not have access to.

Key dates

02Disclosure timeline

September 20, 2019 CVE published

September 16, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2019-11280 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/269.html

Related vulnerabilities

Identifiers

CVE CVE-2019-11280

CWE CWE-269

CVSS 8.8 / HIGH

Affected versions

Vendor Pivotal

Product Pivotal Application Service (PAS)

Affected 2.3.x prior to 2.3.18

Vendor Pivotal

Product Pivotal Application Service (PAS)

Affected 2.4.x prior to 2.4.14

Vendor Pivotal

Product Pivotal Application Service (PAS)

Affected 2.5.x prior to 2.5.10

Vendor Pivotal

Product Pivotal Application Service (PAS)

Affected 2.6.x prior to 2.6.5

CVE-2019-11280: Privilege escalation through the invitations service

01Description

02Disclosure timeline

03References

04Related CVE