All Vulnerability Reports

CVE-2019-3798: Escalation of Privileges in Cloud Controller


Severity

Medium

Vendor

Pivotal

Description

Pivotal Application Service (PAS), versions 2.2.x prior to 2.2.15, 2.3.x prior to 2.3.10, 2.4.x prior to 2.4.6, and 2.5.x prior to 2.5.2 contains CAPI, which performs improper authentication when validating user permissions. A remote authenticated malicious user with the ability to create UAA clients and knowledge of the email of a victim in the foundation may escalate their privileges to that of the victim by creating a client with a name equal to the guid of their victim.

Affected VMware Products and Versions

Severity is medium unless otherwise noted.

  • Pivotal Application Service (PAS)
    • 2.2.x versions prior to 2.2.15
    • 2.3.x versions prior to 2.3.10
    • 2.4.x versions prior to 2.4.6
    • 2.5.x versions prior to 2.5.2

Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry team recommends upgrading CAPI (OSS) listed here if applicable.
  • Releases that have fixed this issue include:
    • Pivotal Application Service (PAS) 2.2.15
    • Pivotal Application Service (PAS) 2.3.10
    • Pivotal Application Service (PAS) 2.4.6
    • Pivotal Application Service (PAS) 2.5.2

References

History

2019-04-24: Initial vulnerability report published.