Search

Find a vulnerability

Search criteria

    8 vulnerabilities found for Pivotal Application Service by Pivotal

    CVE-2019-3788 (GCVE-0-2019-3788)

    Vulnerability from nvd – Published: 2019-04-25 20:17 – Updated: 2024-09-16 22:02
    VLAI
    Title
    UAA redirect-uri allows wildcard in the subdomain
    Summary
    Cloud Foundry UAA Release, versions prior to 71.0, allows clients to be configured with an insecure redirect uri. Given a UAA client was configured with a wildcard in the redirect uri's subdomain, a remote malicious unauthenticated user can craft a phishing link to get a UAA access code from the victim.
    CWE
    Assigner
    References
    Impacted products
    Date Public
    2019-04-15 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T19:19:18.261Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cloudfoundry.org/blog/cve-2019-3788"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "UAA Release (OSS)",
              "vendor": "Cloud Foundry",
              "versions": [
                {
                  "lessThan": "v71.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Pivotal Application Service",
              "vendor": "Pivotal",
              "versions": [
                {
                  "lessThan": "2.5.1",
                  "status": "affected",
                  "version": "2.5",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2019-04-15T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cloud Foundry UAA Release, versions prior to 71.0, allows clients to be configured with an insecure redirect uri. Given a UAA client was configured with a wildcard in the redirect uri\u0027s subdomain, a remote malicious unauthenticated user can craft a phishing link to get a UAA access code from the victim."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601: Open Redirect",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-04-25T20:17:37.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cloudfoundry.org/blog/cve-2019-3788"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "UAA redirect-uri allows wildcard in the subdomain",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "DATE_PUBLIC": "2019-04-15T00:00:00.000Z",
              "ID": "CVE-2019-3788",
              "STATE": "PUBLIC",
              "TITLE": "UAA redirect-uri allows wildcard in the subdomain"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "UAA Release (OSS)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "v71.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cloud Foundry"
                  },
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pivotal Application Service",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.5",
                                "version_value": "2.5.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cloud Foundry UAA Release, versions prior to 71.0, allows clients to be configured with an insecure redirect uri. Given a UAA client was configured with a wildcard in the redirect uri\u0027s subdomain, a remote malicious unauthenticated user can craft a phishing link to get a UAA access code from the victim."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-601: Open Redirect"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cloudfoundry.org/blog/cve-2019-3788",
                  "refsource": "CONFIRM",
                  "url": "https://www.cloudfoundry.org/blog/cve-2019-3788"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2019-3788",
        "datePublished": "2019-04-25T20:17:37.233Z",
        "dateReserved": "2019-01-03T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:02:12.371Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-3777 (GCVE-0-2019-3777)

    Vulnerability from nvd – Published: 2019-03-07 19:00 – Updated: 2024-09-16 21:56
    VLAI
    Title
    Apps Manager unverified SSL certs in Cloud Controller proxy
    Summary
    Pivotal Application Service (PAS), versions 2.2.x prior to 2.2.12, 2.3.x prior to 2.3.7 and 2.4.x prior to 2.4.3, contain apps manager that uses a cloud controller proxy that fails to verify SSL certs. A remote unauthenticated attacker that could hijack the Cloud Controller's DNS record could intercept access tokens sent to the Cloud Controller, giving the attacker access to the user's resources in the Cloud Controller
    CWE
    • CWE-295 - Improper Certificate Validation
    Assigner
    References
    URL Tags
    http://www.securityfocus.com/bid/107214 vdb-entryx_refsource_BID
    https://pivotal.io/security/cve-2019-3777 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Apps Manager Affected: 666 , < 666.0.19 (custom)
    Affected: 665 , < 665.0.26 (custom)
    Affected: 667 , < 667.0.5 (custom)
    Create a notification for this product.
    Pivotal Pivotal Application Service Affected: 2.4 , < 2.4.3 (custom)
    Affected: 2.3 , < 2.3.7 (custom)
    Affected: 2.2 , < 2.2.12 (custom)
    Create a notification for this product.
    Date Public
    2019-02-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T19:19:18.134Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "107214",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/107214"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2019-3777"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apps Manager",
              "vendor": "Pivotal",
              "versions": [
                {
                  "lessThan": "666.0.19",
                  "status": "affected",
                  "version": "666",
                  "versionType": "custom"
                },
                {
                  "lessThan": "665.0.26",
                  "status": "affected",
                  "version": "665",
                  "versionType": "custom"
                },
                {
                  "lessThan": "667.0.5",
                  "status": "affected",
                  "version": "667",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Pivotal Application Service",
              "vendor": "Pivotal",
              "versions": [
                {
                  "lessThan": "2.4.3",
                  "status": "affected",
                  "version": "2.4",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.3.7",
                  "status": "affected",
                  "version": "2.3",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.2.12",
                  "status": "affected",
                  "version": "2.2",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2019-02-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Application Service (PAS), versions 2.2.x prior to 2.2.12, 2.3.x prior to 2.3.7 and 2.4.x prior to 2.4.3, contain apps manager that uses a cloud controller proxy that fails to verify SSL certs. A remote unauthenticated attacker that could hijack the Cloud Controller\u0027s DNS record could intercept access tokens sent to the Cloud Controller, giving the attacker access to the user\u0027s resources in the Cloud Controller"
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-295",
                  "description": "CWE-295: Improper Certificate Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-03-08T10:57:01.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "name": "107214",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/107214"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2019-3777"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apps Manager unverified SSL certs in Cloud Controller proxy",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "DATE_PUBLIC": "2019-02-26T23:47:49.000Z",
              "ID": "CVE-2019-3777",
              "STATE": "PUBLIC",
              "TITLE": "Apps Manager unverified SSL certs in Cloud Controller proxy"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apps Manager",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "666",
                                "version_value": "666.0.19"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "665",
                                "version_value": "665.0.26"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "667",
                                "version_value": "667.0.5"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Pivotal Application Service",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.4",
                                "version_value": "2.4.3"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.3",
                                "version_value": "2.3.7"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.2",
                                "version_value": "2.2.12"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Application Service (PAS), versions 2.2.x prior to 2.2.12, 2.3.x prior to 2.3.7 and 2.4.x prior to 2.4.3, contain apps manager that uses a cloud controller proxy that fails to verify SSL certs. A remote unauthenticated attacker that could hijack the Cloud Controller\u0027s DNS record could intercept access tokens sent to the Cloud Controller, giving the attacker access to the user\u0027s resources in the Cloud Controller"
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-295: Improper Certificate Validation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "107214",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/107214"
                },
                {
                  "name": "https://pivotal.io/security/cve-2019-3777",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2019-3777"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2019-3777",
        "datePublished": "2019-03-07T19:00:00.000Z",
        "dateReserved": "2019-01-03T00:00:00.000Z",
        "dateUpdated": "2024-09-16T21:56:55.392Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-11044 (GCVE-0-2018-11044)

    Vulnerability from nvd – Published: 2018-07-24 19:00 – Updated: 2024-09-16 21:02
    VLAI
    Summary
    Pivotal Apps Manager included in Pivotal Application Service, versions 2.2.x prior to 2.2.1 and 2.1.x prior to 2.1.8 and 2.0.x prior to 2.0.17 and 1.12.x prior to 1.12.26, does not escape all user-provided content when sending invitation emails. A malicious authenticated user can inject content into an invite to another user, exploiting the trust implied by the source of the email.
    Severity
    No CVSS data available.
    CWE
    • Information exposure
    Assigner
    References
    URL Tags
    https://pivotal.io/security/cve-2018-11044 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Pivotal Application Service Affected: 2.2.x , < 2.2.1 (custom)
    Affected: 2.1.x , < 2.1.8 (custom)
    Affected: 2.0.x , < 2.0.17 (custom)
    Affected: 1.12.x , < 1.12.26 (custom)
    Create a notification for this product.
    Date Public
    2018-07-23 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:54:36.532Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2018-11044"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pivotal Application Service",
              "vendor": "Pivotal",
              "versions": [
                {
                  "lessThan": "2.2.1",
                  "status": "affected",
                  "version": "2.2.x",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.1.8",
                  "status": "affected",
                  "version": "2.1.x",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.0.17",
                  "status": "affected",
                  "version": "2.0.x",
                  "versionType": "custom"
                },
                {
                  "lessThan": "1.12.26",
                  "status": "affected",
                  "version": "1.12.x",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2018-07-23T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Apps Manager included in Pivotal Application Service, versions 2.2.x prior to 2.2.1 and 2.1.x prior to 2.1.8 and 2.0.x prior to 2.0.17 and 1.12.x prior to 1.12.26, does not escape all user-provided content when sending invitation emails. A malicious authenticated user can inject content into an invite to another user, exploiting the trust implied by the source of the email."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Information exposure",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-07-24T18:57:01.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2018-11044"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "DATE_PUBLIC": "2018-07-23T04:00:00.000Z",
              "ID": "CVE-2018-11044",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pivotal Application Service",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.2.x",
                                "version_value": "2.2.1"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.1.x",
                                "version_value": "2.1.8"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.0.x",
                                "version_value": "2.0.17"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "1.12.x",
                                "version_value": "1.12.26"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Apps Manager included in Pivotal Application Service, versions 2.2.x prior to 2.2.1 and 2.1.x prior to 2.1.8 and 2.0.x prior to 2.0.17 and 1.12.x prior to 1.12.26, does not escape all user-provided content when sending invitation emails. A malicious authenticated user can inject content into an invite to another user, exploiting the trust implied by the source of the email."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Information exposure"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://pivotal.io/security/cve-2018-11044",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2018-11044"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2018-11044",
        "datePublished": "2018-07-24T19:00:00.000Z",
        "dateReserved": "2018-05-14T00:00:00.000Z",
        "dateUpdated": "2024-09-16T21:02:31.767Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-1278 (GCVE-0-2018-1278)

    Vulnerability from nvd – Published: 2018-05-11 20:00 – Updated: 2024-09-16 23:42
    VLAI
    Summary
    Apps Manager included in Pivotal Application Service, versions 1.12.x prior to 1.12.22, 2.0.x prior to 2.0.13, and 2.1.x prior to 2.1.4 contains an authorization enforcement vulnerability. A member of any org is able to create invitations to any org for which the org GUID can be discovered. Accepting this invitation gives unauthorized access to view the member list, domains, quotas and other information about the org.
    Severity
    No CVSS data available.
    CWE
    • Authorization Error
    Assigner
    References
    URL Tags
    https://pivotal.io/security/cve-2018-1278 x_refsource_CONFIRM
    http://www.securityfocus.com/bid/104227 vdb-entryx_refsource_BID
    Impacted products
    Vendor Product Version
    Pivotal Pivotal Application Service Affected: 1.12.x prior to 1.12.22 and 2.0.x prior to 2.0.13 and 2.1.x prior to 2.1.4
    Create a notification for this product.
    Date Public
    2018-05-10 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T03:59:37.602Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2018-1278"
              },
              {
                "name": "104227",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/104227"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pivotal Application Service",
              "vendor": "Pivotal",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.12.x prior to 1.12.22 and 2.0.x prior to 2.0.13 and 2.1.x prior to 2.1.4"
                }
              ]
            }
          ],
          "datePublic": "2018-05-10T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Apps Manager included in Pivotal Application Service, versions 1.12.x prior to 1.12.22, 2.0.x prior to 2.0.13, and 2.1.x prior to 2.1.4 contains an authorization enforcement vulnerability. A member of any org is able to create invitations to any org for which the org GUID can be discovered. Accepting this invitation gives unauthorized access to view the member list, domains, quotas and other information about the org."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Authorization Error",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-05-22T13:57:01.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2018-1278"
            },
            {
              "name": "104227",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/104227"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "DATE_PUBLIC": "2018-05-10T00:00:00",
              "ID": "CVE-2018-1278",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pivotal Application Service",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "1.12.x prior to 1.12.22 and 2.0.x prior to 2.0.13 and 2.1.x prior to 2.1.4"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Apps Manager included in Pivotal Application Service, versions 1.12.x prior to 1.12.22, 2.0.x prior to 2.0.13, and 2.1.x prior to 2.1.4 contains an authorization enforcement vulnerability. A member of any org is able to create invitations to any org for which the org GUID can be discovered. Accepting this invitation gives unauthorized access to view the member list, domains, quotas and other information about the org."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Authorization Error"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://pivotal.io/security/cve-2018-1278",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2018-1278"
                },
                {
                  "name": "104227",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/104227"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2018-1278",
        "datePublished": "2018-05-11T20:00:00.000Z",
        "dateReserved": "2017-12-06T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:42:24.325Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-3788 (GCVE-0-2019-3788)

    Vulnerability from cvelistv5 – Published: 2019-04-25 20:17 – Updated: 2024-09-16 22:02
    VLAI
    Title
    UAA redirect-uri allows wildcard in the subdomain
    Summary
    Cloud Foundry UAA Release, versions prior to 71.0, allows clients to be configured with an insecure redirect uri. Given a UAA client was configured with a wildcard in the redirect uri's subdomain, a remote malicious unauthenticated user can craft a phishing link to get a UAA access code from the victim.
    CWE
    Assigner
    References
    Impacted products
    Date Public
    2019-04-15 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T19:19:18.261Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cloudfoundry.org/blog/cve-2019-3788"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "UAA Release (OSS)",
              "vendor": "Cloud Foundry",
              "versions": [
                {
                  "lessThan": "v71.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Pivotal Application Service",
              "vendor": "Pivotal",
              "versions": [
                {
                  "lessThan": "2.5.1",
                  "status": "affected",
                  "version": "2.5",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2019-04-15T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cloud Foundry UAA Release, versions prior to 71.0, allows clients to be configured with an insecure redirect uri. Given a UAA client was configured with a wildcard in the redirect uri\u0027s subdomain, a remote malicious unauthenticated user can craft a phishing link to get a UAA access code from the victim."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601: Open Redirect",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-04-25T20:17:37.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cloudfoundry.org/blog/cve-2019-3788"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "UAA redirect-uri allows wildcard in the subdomain",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "DATE_PUBLIC": "2019-04-15T00:00:00.000Z",
              "ID": "CVE-2019-3788",
              "STATE": "PUBLIC",
              "TITLE": "UAA redirect-uri allows wildcard in the subdomain"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "UAA Release (OSS)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "v71.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cloud Foundry"
                  },
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pivotal Application Service",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.5",
                                "version_value": "2.5.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cloud Foundry UAA Release, versions prior to 71.0, allows clients to be configured with an insecure redirect uri. Given a UAA client was configured with a wildcard in the redirect uri\u0027s subdomain, a remote malicious unauthenticated user can craft a phishing link to get a UAA access code from the victim."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-601: Open Redirect"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cloudfoundry.org/blog/cve-2019-3788",
                  "refsource": "CONFIRM",
                  "url": "https://www.cloudfoundry.org/blog/cve-2019-3788"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2019-3788",
        "datePublished": "2019-04-25T20:17:37.233Z",
        "dateReserved": "2019-01-03T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:02:12.371Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-3777 (GCVE-0-2019-3777)

    Vulnerability from cvelistv5 – Published: 2019-03-07 19:00 – Updated: 2024-09-16 21:56
    VLAI
    Title
    Apps Manager unverified SSL certs in Cloud Controller proxy
    Summary
    Pivotal Application Service (PAS), versions 2.2.x prior to 2.2.12, 2.3.x prior to 2.3.7 and 2.4.x prior to 2.4.3, contain apps manager that uses a cloud controller proxy that fails to verify SSL certs. A remote unauthenticated attacker that could hijack the Cloud Controller's DNS record could intercept access tokens sent to the Cloud Controller, giving the attacker access to the user's resources in the Cloud Controller
    CWE
    • CWE-295 - Improper Certificate Validation
    Assigner
    References
    URL Tags
    http://www.securityfocus.com/bid/107214 vdb-entryx_refsource_BID
    https://pivotal.io/security/cve-2019-3777 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Apps Manager Affected: 666 , < 666.0.19 (custom)
    Affected: 665 , < 665.0.26 (custom)
    Affected: 667 , < 667.0.5 (custom)
    Create a notification for this product.
    Pivotal Pivotal Application Service Affected: 2.4 , < 2.4.3 (custom)
    Affected: 2.3 , < 2.3.7 (custom)
    Affected: 2.2 , < 2.2.12 (custom)
    Create a notification for this product.
    Date Public
    2019-02-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T19:19:18.134Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "107214",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/107214"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2019-3777"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apps Manager",
              "vendor": "Pivotal",
              "versions": [
                {
                  "lessThan": "666.0.19",
                  "status": "affected",
                  "version": "666",
                  "versionType": "custom"
                },
                {
                  "lessThan": "665.0.26",
                  "status": "affected",
                  "version": "665",
                  "versionType": "custom"
                },
                {
                  "lessThan": "667.0.5",
                  "status": "affected",
                  "version": "667",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Pivotal Application Service",
              "vendor": "Pivotal",
              "versions": [
                {
                  "lessThan": "2.4.3",
                  "status": "affected",
                  "version": "2.4",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.3.7",
                  "status": "affected",
                  "version": "2.3",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.2.12",
                  "status": "affected",
                  "version": "2.2",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2019-02-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Application Service (PAS), versions 2.2.x prior to 2.2.12, 2.3.x prior to 2.3.7 and 2.4.x prior to 2.4.3, contain apps manager that uses a cloud controller proxy that fails to verify SSL certs. A remote unauthenticated attacker that could hijack the Cloud Controller\u0027s DNS record could intercept access tokens sent to the Cloud Controller, giving the attacker access to the user\u0027s resources in the Cloud Controller"
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-295",
                  "description": "CWE-295: Improper Certificate Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-03-08T10:57:01.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "name": "107214",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/107214"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2019-3777"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apps Manager unverified SSL certs in Cloud Controller proxy",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "DATE_PUBLIC": "2019-02-26T23:47:49.000Z",
              "ID": "CVE-2019-3777",
              "STATE": "PUBLIC",
              "TITLE": "Apps Manager unverified SSL certs in Cloud Controller proxy"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apps Manager",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "666",
                                "version_value": "666.0.19"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "665",
                                "version_value": "665.0.26"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "667",
                                "version_value": "667.0.5"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Pivotal Application Service",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.4",
                                "version_value": "2.4.3"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.3",
                                "version_value": "2.3.7"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.2",
                                "version_value": "2.2.12"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Application Service (PAS), versions 2.2.x prior to 2.2.12, 2.3.x prior to 2.3.7 and 2.4.x prior to 2.4.3, contain apps manager that uses a cloud controller proxy that fails to verify SSL certs. A remote unauthenticated attacker that could hijack the Cloud Controller\u0027s DNS record could intercept access tokens sent to the Cloud Controller, giving the attacker access to the user\u0027s resources in the Cloud Controller"
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-295: Improper Certificate Validation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "107214",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/107214"
                },
                {
                  "name": "https://pivotal.io/security/cve-2019-3777",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2019-3777"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2019-3777",
        "datePublished": "2019-03-07T19:00:00.000Z",
        "dateReserved": "2019-01-03T00:00:00.000Z",
        "dateUpdated": "2024-09-16T21:56:55.392Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-11044 (GCVE-0-2018-11044)

    Vulnerability from cvelistv5 – Published: 2018-07-24 19:00 – Updated: 2024-09-16 21:02
    VLAI
    Summary
    Pivotal Apps Manager included in Pivotal Application Service, versions 2.2.x prior to 2.2.1 and 2.1.x prior to 2.1.8 and 2.0.x prior to 2.0.17 and 1.12.x prior to 1.12.26, does not escape all user-provided content when sending invitation emails. A malicious authenticated user can inject content into an invite to another user, exploiting the trust implied by the source of the email.
    Severity
    No CVSS data available.
    CWE
    • Information exposure
    Assigner
    References
    URL Tags
    https://pivotal.io/security/cve-2018-11044 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Pivotal Application Service Affected: 2.2.x , < 2.2.1 (custom)
    Affected: 2.1.x , < 2.1.8 (custom)
    Affected: 2.0.x , < 2.0.17 (custom)
    Affected: 1.12.x , < 1.12.26 (custom)
    Create a notification for this product.
    Date Public
    2018-07-23 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:54:36.532Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2018-11044"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pivotal Application Service",
              "vendor": "Pivotal",
              "versions": [
                {
                  "lessThan": "2.2.1",
                  "status": "affected",
                  "version": "2.2.x",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.1.8",
                  "status": "affected",
                  "version": "2.1.x",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.0.17",
                  "status": "affected",
                  "version": "2.0.x",
                  "versionType": "custom"
                },
                {
                  "lessThan": "1.12.26",
                  "status": "affected",
                  "version": "1.12.x",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2018-07-23T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Apps Manager included in Pivotal Application Service, versions 2.2.x prior to 2.2.1 and 2.1.x prior to 2.1.8 and 2.0.x prior to 2.0.17 and 1.12.x prior to 1.12.26, does not escape all user-provided content when sending invitation emails. A malicious authenticated user can inject content into an invite to another user, exploiting the trust implied by the source of the email."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Information exposure",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-07-24T18:57:01.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2018-11044"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "DATE_PUBLIC": "2018-07-23T04:00:00.000Z",
              "ID": "CVE-2018-11044",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pivotal Application Service",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.2.x",
                                "version_value": "2.2.1"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.1.x",
                                "version_value": "2.1.8"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.0.x",
                                "version_value": "2.0.17"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "1.12.x",
                                "version_value": "1.12.26"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Apps Manager included in Pivotal Application Service, versions 2.2.x prior to 2.2.1 and 2.1.x prior to 2.1.8 and 2.0.x prior to 2.0.17 and 1.12.x prior to 1.12.26, does not escape all user-provided content when sending invitation emails. A malicious authenticated user can inject content into an invite to another user, exploiting the trust implied by the source of the email."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Information exposure"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://pivotal.io/security/cve-2018-11044",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2018-11044"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2018-11044",
        "datePublished": "2018-07-24T19:00:00.000Z",
        "dateReserved": "2018-05-14T00:00:00.000Z",
        "dateUpdated": "2024-09-16T21:02:31.767Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-1278 (GCVE-0-2018-1278)

    Vulnerability from cvelistv5 – Published: 2018-05-11 20:00 – Updated: 2024-09-16 23:42
    VLAI
    Summary
    Apps Manager included in Pivotal Application Service, versions 1.12.x prior to 1.12.22, 2.0.x prior to 2.0.13, and 2.1.x prior to 2.1.4 contains an authorization enforcement vulnerability. A member of any org is able to create invitations to any org for which the org GUID can be discovered. Accepting this invitation gives unauthorized access to view the member list, domains, quotas and other information about the org.
    Severity
    No CVSS data available.
    CWE
    • Authorization Error
    Assigner
    References
    URL Tags
    https://pivotal.io/security/cve-2018-1278 x_refsource_CONFIRM
    http://www.securityfocus.com/bid/104227 vdb-entryx_refsource_BID
    Impacted products
    Vendor Product Version
    Pivotal Pivotal Application Service Affected: 1.12.x prior to 1.12.22 and 2.0.x prior to 2.0.13 and 2.1.x prior to 2.1.4
    Create a notification for this product.
    Date Public
    2018-05-10 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T03:59:37.602Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2018-1278"
              },
              {
                "name": "104227",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/104227"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pivotal Application Service",
              "vendor": "Pivotal",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.12.x prior to 1.12.22 and 2.0.x prior to 2.0.13 and 2.1.x prior to 2.1.4"
                }
              ]
            }
          ],
          "datePublic": "2018-05-10T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Apps Manager included in Pivotal Application Service, versions 1.12.x prior to 1.12.22, 2.0.x prior to 2.0.13, and 2.1.x prior to 2.1.4 contains an authorization enforcement vulnerability. A member of any org is able to create invitations to any org for which the org GUID can be discovered. Accepting this invitation gives unauthorized access to view the member list, domains, quotas and other information about the org."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Authorization Error",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-05-22T13:57:01.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2018-1278"
            },
            {
              "name": "104227",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/104227"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "DATE_PUBLIC": "2018-05-10T00:00:00",
              "ID": "CVE-2018-1278",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pivotal Application Service",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "1.12.x prior to 1.12.22 and 2.0.x prior to 2.0.13 and 2.1.x prior to 2.1.4"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Apps Manager included in Pivotal Application Service, versions 1.12.x prior to 1.12.22, 2.0.x prior to 2.0.13, and 2.1.x prior to 2.1.4 contains an authorization enforcement vulnerability. A member of any org is able to create invitations to any org for which the org GUID can be discovered. Accepting this invitation gives unauthorized access to view the member list, domains, quotas and other information about the org."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Authorization Error"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://pivotal.io/security/cve-2018-1278",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2018-1278"
                },
                {
                  "name": "104227",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/104227"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2018-1278",
        "datePublished": "2018-05-11T20:00:00.000Z",
        "dateReserved": "2017-12-06T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:42:24.325Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }