Pivotal Software: >> Cloud Foundry Uaa-Release >> 28 Security Vulnerabilities
Cloud Foundry UAA version prior to 73.3.0, contain endpoints that contains improper escaping. An authenticated malicious user with basic read privileges for one identity zone can extend those reading privileges to all other identity zones and obtain private information on users, clients, and groups in all other identity zones.
CVSS Score
6.5
EPSS Score
0.004
Published
2019-07-11
Cloud Foundry UAA, versions prior to 73.0.0, falls back to appending “unknown.org” to a user's email address when one is not provided and the user name does not contain an @ character. This domain is held by a private company, which leads to attack vectors including password recovery emails sent to a potentially fraudulent address. This would allow the attacker to gain complete control of the user's account.
CVSS Score
8.3
EPSS Score
0.003
Published
2019-06-19