CVE-2019-3787: UAA defaults email address to an insecure domain
Severity
High
Vendor
Pivotal Cloud Foundry
Description
Pivotal Application Service (2.3.x versions prior to 2.3.14, 2.4.x versions prior to 2.4.10, 2.5.x versions prior to 2.5.7, and 2.6.x versions prior to 2.6.2), Pivotal Container Service (1.3.x versions prior to 1.3.8, and 1.4.x versions prior to 1.4.2), and Pivotal Ops Manager (2.3.x versions prior to 2.3.20, and 2.4.x versions prior to 2.4.14, 2.5.x versions prior to 2.5.10, and 2.6.x versions prior to 2.6.4), through their dependency on a vulnerable version of UAA (60.x versions prior to 60.14, 64.x versions prior to 64.2, and 66.x versions prior to 66.1, and 71.x versions prior to 71.1), falls back to appending "unknown.org" to a user's email address when one is not provided and the user name does not contain an @ character. This domain is held by a private company, which leads to attack vectors including password recovery emails sent to a potentially fraudulent address. This would allow an attacker to gain complete control of the user's account.
Affected VMware Products and Versions
Severity is high unless otherwise noted.
- Pivotal Application Service (PAS)
- 2.3.x versions prior to 2.3.14
- 2.4.x versions prior to 2.4.10
- 2.5.x versions prior to 2.5.7
- 2.6 versions prior to 2.6.2
- Pivotal Container Service (PKS)
- 1.3.x versions prior to 1.3.8
- 1.4.x versions prior to 1.4.2
- Pivotal Ops Manager
- 2.3.x versions prior to 2.3.20
- 2.4.x versions prior to 2.4.14
- 2.5.x versions prior to 2.5.10
- 2.6.x versions prior to 2.6.4
- UAA Release
- v60.x versions prior to v60.14
- v64.x versions prior to v64.2
- v66.x versions prior to v66.1
- v71.x versions prior to v71.1
Mitigation
Users of affected versions should apply the following mitigation:
- Releases that have fixed this issue include:
- Pivotal Application Service (PAS)
- 2.3.14
- 2.4.10
- 2.5.7
- 2.6.2
- Pivotal Container Service
- 1.3.8
- 1.4.2
- Pivotal Ops Manager
- 2.3.20
- 2.4.14
- 2.5.10
- 2.6.4
- UAA Release
- v60.14
- v64.2
- v66.1
- v71.1
- Pivotal Application Service (PAS)
Credit
This vulnerability was responsibly reported by Kristian Kraljic from SAP.
References
- https://www.cloudfoundry.org/blog/cve-2019-3787/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3787
History
2019-08-20: Initial vulnerability report published
2019-09-26: Updated Affected version, Description and Mitigation section for PAS 2.3 release line
2019-12-13: Added PAS 2.6 fixed version.