All Vulnerability Reports

CVE-2019-3787: UAA defaults email address to an insecure domain


Severity

High

Vendor

Pivotal Cloud Foundry

Description

Pivotal Application Service (2.3.x versions prior to 2.3.14, 2.4.x versions prior to 2.4.10, and 2.5.x versions prior to 2.5.7), Pivotal Container Service (1.3.x versions prior to 1.3.8, and 1.4.x versions prior to 1.4.2), and Pivotal Ops Manager (2.3.x versions prior to 2.3.20, and 2.4.x versions prior to 2.4.14, 2.5.x versions prior to 2.5.10, and 2.6.x versions prior to 2.6.4), through their dependency on a vulnerable version of UAA (60.x versions prior to 60.14, 64.x versions prior to 64.2, and 66.x versions prior to 66.1, and 71.x versions prior to 71.1), falls back to appending "unknown.org" to a user's email address when one is not provided and the user name does not contain an @ character. This domain is held by a private company, which leads to attack vectors including password recovery emails sent to a potentially fraudulent address. This would allow an attacker to gain complete control of the user's account.

Affected Pivotal Products and Versions

Severity is high unless otherwise noted.

  • Pivotal Application Service (PAS)
    • 2.3.x versions prior to 2.3.14
    • 2.4.x versions prior to 2.4.10
    • 2.5.x versions prior to 2.5.7
  • Pivotal Container Service (PKS)
    • 1.3.x versions prior to 1.3.8
    • 1.4.x versions prior to 1.4.2
  • Pivotal Ops Manager
    • 2.3.x versions prior to 2.3.20
    • 2.4.x versions prior to 2.4.14
    • 2.5.x versions prior to 2.5.10
    • 2.6.x versions prior to 2.6.4
  • UAA Release
    • 60.x versions prior to 60.14
    • 64.x versions prior to 64.2
    • 66.x versions prior to 66.1
    • 71.x versions prior to 71.1
Mitigation

Users of affected versions should apply the following mitigation:

  • Releases that have fixed this issue include:
    • Pivotal Application Service (PAS)
      • 2.3.14
      • 2.4.10
      • 2.5.7
    • Pivotal Container Service
      • 1.3.8
      • 1.4.2
    • Pivotal Ops Manager
      • 2.3.20
      • 2.4.14
      • 2.5.10
      • 2.6.4
    • UAA Release
      • 60.14
      • 64.2
      • 66.1
      • 71.1
Credit

This vulnerability was responsibly reported by Kristian Kraljic from SAP.

References
History

2019-08-20: Initial vulnerability report published

2019-09-26: Updated Affected version, Description and Mitigation section for PAS 2.3 release line

Contattaci