CVE-2019-3798: Escalation of Privileges in Cloud Controller
Pivotal Application Service (PAS), versions 2.2.x prior to 2.2.15, 2.3.x prior to 2.3.10, 2.4.x prior to 2.4.6, and 2.5.x prior to 2.5.2 contains CAPI, which performs improper authentication when validating user permissions. A remote authenticated malicious user with the ability to create UAA clients and knowledge of the email of a victim in the foundation may escalate their privileges to that of the victim by creating a client with a name equal to the guid of their victim.
Severity is medium unless otherwise noted.
- Pivotal Application Service (PAS)
- 2.2.x versions prior to 2.2.15
- 2.3.x versions prior to 2.3.10
- 2.4.x versions prior to 2.4.6
- 2.5.x versions prior to 2.5.2
Users of affected versions should apply the following mitigation:
- The Cloud Foundry team recommends upgrading CAPI (OSS) listed here if applicable.
- Releases that have fixed this issue include:
- Pivotal Application Service (PAS) 2.2.15
- Pivotal Application Service (PAS) 2.3.10
- Pivotal Application Service (PAS) 2.4.6
- Pivotal Application Service (PAS) 2.5.2
2019-04-24: Initial vulnerability report published.