CVE-2019-11270

HIGH

Pivotal Software Application Service - Improper Privilege Management

Title source: rule

Description

Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' and create clients with arbitrary scopes that the creator does not possess.

References (2)

[Vendor Advisory] https://pivotal.io/security/cve-2019-11270

[Vendor Advisory] https://www.cloudfoundry.org/blog/cve-2019-11270

Scores

CVSS v3 7.5

EPSS 0.0023

EPSS Percentile 45.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Classification

CWE

CWE-269 CWE-732

Status published

Affected Products (3)

pivotal_software/application_service < 2.3.15

pivotal_software/cloud_foundry_uaa < 73.4.0

pivotal_software/operations_manager < 2.3.22

Timeline

Published Aug 05, 2019

Tracked Since Feb 18, 2026