CVE-2019-11279: Privilege Escalation via Scope Manipulation in UAA
Severity
High
Vendor
Pivotal
Description
Pivotal Ops Manager (2.5.x versions prior to 2.5.17 and 2.6.x versions prior to 2.6.9), Pivotal Container Service (1.4.x versions prior to 1.4.3, and 1.5.x versions prior to 1.5.1), and Pivotal Application Service (2.5.x versions prior to 2.5.12, 2.6.x versions prior to 2.6.7, and 2.7.x versions prior to 2.7.1), through their dependency on a vulnerable version of UAA (64.x versions prior to 64.4, 66.x versions prior to 66.4, 71.x versions prior to 71.3 and 73.x versions prior to 73.4.8), can request scopes for a client that should not be allowed by submitting an array of requested scopes. A remote malicious user can escalate their own privileges to any scope, allowing them to take control of UAA and the resources it controls.
Affected VMware Products and Versions
Severity is high unless otherwise noted.
-
Pivotal Ops Manager
- 2.5 versions prior to 2.5.17
- 2.6 versions prior to 2.6.9
-
UAA Release
- v64 versions prior to v64.4
- v66 versions prior to v66.4
- v71 versions prior to v71.3
- v73 versions prior to v73.4.8
-
Pivotal Container Service (PKS)
- 1.4 versions prior to 1.4.3
- 1.5 versions prior to 1.5.1
-
Pivotal Application Service (PAS)
- 2.5 versions prior to 2.5.12
- 2.6 versions prior to 2.6.7
- 2.7 versions prior to 2.7.1
Mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
-
Pivotal Ops Manager
- 2.5.17
- 2.6.9
-
UAA Release
- v64.4
- v66.4
- v71.3
- v73.4.8
-
Pivotal Container Service (PKS)
- 1.4.3
- 1.5.1
-
Pivotal Application Service (PAS)
- 2.5.12
- 2.6.7
- 2.7.1
Credit
Amit Laish - GE Digital Cyber Security Team
References
- https://www.cloudfoundry.org/blog/cve-2019-11279
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-11279
History
2019-10-15: Initial vulnerability report published.