CVE-2019-11293
MEDIUMCloudfoundry Cf-deployment < 12.12.0 - Log Information Exposure
Title source: ruleDescription
Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs client_secret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if authentication is provided via query parameters.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://www.cloudfoundry.org/blog/cve-2019-11293
Scores
CVSS v3
6.5
EPSS
0.0054
EPSS Percentile
67.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-532
Status
published
Products (2)
cloudfoundry/cf-deployment
< 12.12.0
cloudfoundry/user_account_and_authentication
< 74.10.0
Published
Dec 06, 2019
Tracked Since
Feb 18, 2026