CVE-2019-11270

HIGH

Pivotal Software Application Service - Improper Privilege Management

Title source: rule

Description

Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' and create clients with arbitrary scopes that the creator does not possess.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://www.cloudfoundry.org/blog/cve-2019-11270

Vendor Advisory x_refsource_confirm

https://pivotal.io/security/cve-2019-11270

Scores

CVSS v3 7.5

EPSS 0.0023

EPSS Percentile 45.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-269 CWE-732

Status published

Products (3)

pivotal_software/application_service 2.3.0 - 2.3.15

pivotal_software/cloud_foundry_uaa < 73.4.0

pivotal_software/operations_manager 2.3.0 - 2.3.22

Published Aug 05, 2019

Tracked Since Feb 18, 2026