CVE-2019-11277

Published: Sep 23, 2019Modified: Nov 21, 2024

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Exploitability: 2.8 / Impact: 5.2

Source: NVD

Description

Cloud Foundry NFS Volume Service, 1.7.x versions prior to 1.7.11 and 2.x versions prior to 2.3.0, is vulnerable to LDAP injection. A remote authenticated malicious space developer can potentially inject LDAP filters via service instance creation, facilitating the malicious space developer to deny service or perform a dictionary attack.

Affected (3)

Products: Cloudfoundry: Cf Deployment, Nfs Volume Release

2 products

Nfs Volume Release

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Cloudfoundry Cf Deployment	Before 11.1.0
Cloudfoundry Nfs Volume Release	From 1.7.0 to 1.7.11
Cloudfoundry Nfs Volume Release	From 2.0.0 to 2.3.0

Related CWEs

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.

References (2)

https://www.cloudfoundry.org/blog/cve-2019-11277

Source: security@pivotal.io

Vendor Advisory

https://www.cloudfoundry.org/blog/cve-2019-11277

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.