All Vulnerability Reports

CVE-2019-11279: Privilege Escalation via Scope Manipulation in UAA


Severity

High

Vendor

Pivotal

Description

Pivotal Ops Manager (2.5.x versions prior to 2.5.17 and 2.6.x versions prior to 2.6.9), Pivotal Container Service (1.4.x versions prior to 1.4.3, and 1.5.x versions prior to 1.5.1), and Pivotal Application Service (2.5.x versions prior to 2.5.12, 2.6.x versions prior to 2.6.7, and 2.7.x versions prior to 2.7.1), through their dependency on a vulnerable version of UAA (64.x versions prior to 64.4, 66.x versions prior to 66.4, 71.x versions prior to 71.3 and 73.x versions prior to 73.4.8), can request scopes for a client that should not be allowed by submitting an array of requested scopes. A remote malicious user can escalate their own privileges to any scope, allowing them to take control of UAA and the resources it controls.

Affected Pivotal Products and Versions

Severity is high unless otherwise noted.

  • Pivotal Ops Manager
    • 2.5 versions prior to 2.5.17
    • 2.6 versions prior to 2.6.9
  • UAA Release
    • v64 versions prior to v64.4
    • v66 versions prior to v66.4
    • v71 versions prior to v71.3
    • v73 versions prior to v73.4.8
  • Pivotal Container Service (PKS)
    • 1.4 versions prior to 1.4.3
    • 1.5 versions prior to 1.5.1
  • Pivotal Application Service (PAS)
    • 2.5 versions prior to 2.5.12
    • 2.6 versions prior to 2.6.7
    • 2.7 versions prior to 2.7.1
Mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

  • Pivotal Ops Manager
    • 2.5.17
    • 2.6.9
  • UAA Release
    • v64.4
    • v66.4
    • v71.3
    • v73.4.8
  • Pivotal Container Service (PKS)
    • 1.4.3
    • 1.5.1
  • Pivotal Application Service (PAS)
    • 2.5.12
    • 2.6.7
    • 2.7.1
Credit

This issue was responsibly reported by GE Digital Cyber Security Team.

References
History

2019-10-15: Initial vulnerability report published.

Contact us