CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11279 – Privilege Escalation via Scope Manipulation in UAA
https://notcve.org/view.php?id=CVE-2019-11279
26 Sep 2019 — CF UAA versions prior to 74.1.0 can request scopes for a client that shouldn't be allowed by submitting an array of requested scopes. A remote malicious user can escalate their own privileges to any scope, allowing them to take control of UAA and the resources it controls. CF UAA versiones anteriores a 74.1.0, puede solicitar ámbitos para un cliente que no debió ser permitido mediante el envío de una conjunto de ámbitos solicitados. Un usuario malicioso remoto puede escalar sus propios privilegios a cualqui... • https://www.cloudfoundry.org/blog/cve-2019-11279 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2019-3801 – Java Projects using HTTP to fetch dependencies
https://notcve.org/view.php?id=CVE-2019-3801
25 Apr 2019 — Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the component. Cloud Foundry cf-deployment versiones anteriores a 7.9.0, contiene componentes java que son empleados en un protocolo inseguro cuando se construyen dependencias. Un atacante malicioso remoto sin autenticar, podría secuestrar... • http://www.securityfocus.com/bid/108104 • CWE-319: Cleartext Transmission of Sensitive Information CWE-494: Download of Code Without Integrity Check •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2019-3788 – UAA redirect-uri allows wildcard in the subdomain
https://notcve.org/view.php?id=CVE-2019-3788
25 Apr 2019 — Cloud Foundry UAA Release, versions prior to 71.0, allows clients to be configured with an insecure redirect uri. Given a UAA client was configured with a wildcard in the redirect uri's subdomain, a remote malicious unauthenticated user can craft a phishing link to get a UAA access code from the victim. La versión UAA de Cloud Foundry, en versiones anteriores a la 71.0, permite a los clientes ser configurados con un uri de redirección inseguro. Dado que un cliente UAA se configuró con un comodín en el subdo... • https://www.cloudfoundry.org/blog/cve-2019-3788 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-3775 – UAA allows users to modify their own email address
https://notcve.org/view.php?id=CVE-2019-3775
07 Mar 2019 — Cloud Foundry UAA, versions prior to v70.0, allows a user to update their own email address. A remote authenticated user can impersonate a different user by changing their email address to that of a different user. Cloud Foundry UAA, en versiones anteriores a la v70.0, permite a un usuario actualizar su propia dirección de correo electrónico. Un usuario autenticado remoto puede suplantar a un usuario distinto, modificando su dirección de correo electrónico acon la de otro usuario. • https://www.cloudfoundry.org/blog/cve-2019-3775 • CWE-287: Improper Authentication CWE-290: Authentication Bypass by Spoofing •