CVE-2018-1278 - OpenCVE

Apps Manager included in Pivotal Application Service, versions 1.12.x prior to 1.12.22, 2.0.x prior to 2.0.13, and 2.1.x prior to 2.1.4 contains an authorization enforcement vulnerability. A member of any org is able to create invitations to any org for which the org GUID can be discovered. Accepting this invitation gives unauthorized access to view the member list, domains, quotas and other information about the org.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Pivotal Software	Pivotal Application Service

Configuration 1 [-]

OR	cpe:2.3:a:pivotal_software:pivotal_application_service::::::::
	cpe:2.3:a:pivotal_software:pivotal_application_service::::::::
	cpe:2.3:a:pivotal_software:pivotal_application_service::::::::

No data.

References

Link	Providers
http://www.securityfocus.com/bid/104227
https://pivotal.io/security/cve-2018-1278

History

No history.

MITRE

Status: PUBLISHED

Assigner: dell

Published: 2018-05-11T20:00:00Z

Updated: 2024-09-16T23:42:24.325Z

Reserved: 2017-12-06T00:00:00

Link: CVE-2018-1278

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2018-05-11T20:29:00.463

Modified: 2019-10-03T00:03:26.223

Link: CVE-2018-1278

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Pivotal Application Service", "vendor": "Pivotal", "versions": [{"status": "affected", "version": "1.12.x prior to 1.12.22 and 2.0.x prior to 2.0.13 and 2.1.x prior to 2.1.4"}]}], "datePublic": "2018-05-10T00:00:00", "descriptions": [{"lang": "en", "value": "Apps Manager included in Pivotal Application Service, versions 1.12.x prior to 1.12.22, 2.0.x prior to 2.0.13, and 2.1.x prior to 2.1.4 contains an authorization enforcement vulnerability. A member of any org is able to create invitations to any org for which the org GUID can be discovered. Accepting this invitation gives unauthorized access to view the member list, domains, quotas and other information about the org."}], "problemTypes": [{"descriptions": [{"description": "Authorization Error", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-05-22T13:57:01", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://pivotal.io/security/cve-2018-1278"}, {"name": "104227", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/104227"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security_alert@emc.com", "DATE_PUBLIC": "2018-05-10T00:00:00", "ID": "CVE-2018-1278", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Pivotal Application Service", "version": {"version_data": [{"version_value": "1.12.x prior to 1.12.22 and 2.0.x prior to 2.0.13 and 2.1.x prior to 2.1.4"}]}}]}, "vendor_name": "Pivotal"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Apps Manager included in Pivotal Application Service, versions 1.12.x prior to 1.12.22, 2.0.x prior to 2.0.13, and 2.1.x prior to 2.1.4 contains an authorization enforcement vulnerability. A member of any org is able to create invitations to any org for which the org GUID can be discovered. Accepting this invitation gives unauthorized access to view the member list, domains, quotas and other information about the org."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Authorization Error"}]}]}, "references": {"reference_data": [{"name": "https://pivotal.io/security/cve-2018-1278", "refsource": "CONFIRM", "url": "https://pivotal.io/security/cve-2018-1278"}, {"name": "104227", "refsource": "BID", "url": "http://www.securityfocus.com/bid/104227"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:59:37.602Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://pivotal.io/security/cve-2018-1278"}, {"name": "104227", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/104227"}]}]}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2018-1278", "datePublished": "2018-05-11T20:00:00Z", "dateReserved": "2017-12-06T00:00:00", "dateUpdated": "2024-09-16T23:42:24.325Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pivotal_software:pivotal_application_service:*:*:*:*:*:*:*:*", "matchCriteriaId": "A4FDBD8A-FC66-4291-A6A5-FBE76D0ADD52", "versionEndExcluding": "1.12.22", "versionStartIncluding": "1.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pivotal_software:pivotal_application_service:*:*:*:*:*:*:*:*", "matchCriteriaId": "312F07C2-46FD-4BBB-AF1F-635D99F0B8D1", "versionEndExcluding": "2.0.13", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pivotal_software:pivotal_application_service:*:*:*:*:*:*:*:*", "matchCriteriaId": "FE5C77EB-057C-4044-8484-7ABCE9956805", "versionEndExcluding": "2.1.4", "versionStartIncluding": "2.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Apps Manager included in Pivotal Application Service, versions 1.12.x prior to 1.12.22, 2.0.x prior to 2.0.13, and 2.1.x prior to 2.1.4 contains an authorization enforcement vulnerability. A member of any org is able to create invitations to any org for which the org GUID can be discovered. Accepting this invitation gives unauthorized access to view the member list, domains, quotas and other information about the org."}, {"lang": "es", "value": "Apps Manager en Pivotal Application Service, en versiones 1.12.x anteriores a la 1.12.22, versiones 2.0.x anteriores a la 2.0.13 y versiones 2.1.x anteriores a la 2.1.4, contiene una vulnerabilidad de imposici\u00f3n de autorizaci\u00f3n. Un miembro de cualquier org puede crear invitaciones a cualquier org para la cual se puede descubrir la GUID de esta. Si se acepta esta invitaci\u00f3n, se otorga acceso no autorizado para ver la lista de miembros, dominios, cuotas y otro tipo de informaci\u00f3n sobre la org."}], "id": "CVE-2018-1278", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-05-11T20:29:00.463", "references": [{"source": "security_alert@emc.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/104227"}, {"source": "security_alert@emc.com", "tags": ["Vendor Advisory"], "url": "https://pivotal.io/security/cve-2018-1278"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}