CVE-2019-11293 - OpenCVE

Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs client_secret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if authentication is provided via query parameters.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Cloudfoundry	Cf-deployment User Account And Authentication

Configuration 1 [-]

OR	cpe:2.3:a:cloudfoundry:cf-deployment::::::::
	cpe:2.3:a:cloudfoundry:user_account_and_authentication::::::::

No data.

References

Link	Providers
https://www.cloudfoundry.org/blog/cve-2019-11293

History

No history.

MITRE

Status: PUBLISHED

Assigner: pivotal

Published: 2019-12-06T20:00:17.131916Z

Updated: 2024-09-16T17:57:54.838Z

Reserved: 2019-04-18T00:00:00

Link: CVE-2019-11293

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-12-06T20:15:09.577

Modified: 2019-12-12T17:22:20.473

Link: CVE-2019-11293

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "UAA Release", "vendor": "Cloud Foundry", "versions": [{"lessThan": "v74.10.0", "status": "affected", "version": "All", "versionType": "custom"}]}], "datePublic": "2019-12-03T00:00:00", "descriptions": [{"lang": "en", "value": "Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs client_secret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if authentication is provided via query parameters."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "description": "CWE-532: Inclusion of Sensitive Information in Log Files", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-12-06T20:00:17", "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03", "shortName": "pivotal"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.cloudfoundry.org/blog/cve-2019-11293"}], "source": {"discovery": "UNKNOWN"}, "title": "UAA logs all query parameters with debug logging level", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@pivotal.io", "DATE_PUBLIC": "2019-12-03T00:00:00.000Z", "ID": "CVE-2019-11293", "STATE": "PUBLIC", "TITLE": "UAA logs all query parameters with debug logging level"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "UAA Release", "version": {"version_data": [{"affected": "<", "version_affected": "<", "version_name": "All", "version_value": "v74.10.0"}]}}]}, "vendor_name": "Cloud Foundry"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs client_secret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if authentication is provided via query parameters."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-532: Inclusion of Sensitive Information in Log Files"}]}]}, "references": {"reference_data": [{"name": "https://www.cloudfoundry.org/blog/cve-2019-11293", "refsource": "CONFIRM", "url": "https://www.cloudfoundry.org/blog/cve-2019-11293"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:48:09.144Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.cloudfoundry.org/blog/cve-2019-11293"}]}]}, "cveMetadata": {"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03", "assignerShortName": "pivotal", "cveId": "CVE-2019-11293", "datePublished": "2019-12-06T20:00:17.131916Z", "dateReserved": "2019-04-18T00:00:00", "dateUpdated": "2024-09-16T17:57:54.838Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cloudfoundry:cf-deployment:*:*:*:*:*:*:*:*", "matchCriteriaId": "63D6484A-0B5A-4B81-BCD2-126BD23911AE", "versionEndExcluding": "12.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:cloudfoundry:user_account_and_authentication:*:*:*:*:*:*:*:*", "matchCriteriaId": "37406F96-9CFA-4500-BF8A-5AE7F4371AC2", "versionEndExcluding": "74.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs client_secret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if authentication is provided via query parameters."}, {"lang": "es", "value": "Cloud Foundry UAA Release, versiones anteriores a v74.10.0, cuando se establece el nivel de registro DEBUG, registra las credenciales de client_secret cuando se env\u00edan como un par\u00e1metro de consulta. Un usuario malicioso autenticado remoto podr\u00eda conseguir acceso a las credenciales de usuario por medio del archivo uaa.log si la autenticaci\u00f3n es proporcionada por medio de par\u00e1metros de consulta."}], "id": "CVE-2019-11293", "lastModified": "2019-12-12T17:22:20.473", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@pivotal.io", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-12-06T20:15:09.577", "references": [{"source": "security@pivotal.io", "tags": ["Vendor Advisory"], "url": "https://www.cloudfoundry.org/blog/cve-2019-11293"}], "sourceIdentifier": "security@pivotal.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-532"}], "source": "security@pivotal.io", "type": "Secondary"}]}