Lucene search

[email protected]CVE-2019-11275

HistoryOct 01, 2019 - 3:15 p.m.

CVE-2019-11275

2019-10-0115:15:11

CWE-1236

CWE-74

[email protected]

web.nvd.nist.gov

pivotal application manager

cve-2019-11275

remote execution

vulnerability

csv

higher privilege

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

44.5%

JSON

Pivotal Application Manager, versions 666.0.x prior to 666.0.36, versions 667.0.x prior to 667.0.22, versions 668.0.x prior to 668.0.21, versions 669.0.x prior to 669.0.13, and versions 670.0.x prior to 670.0.7, contain a vulnerability where a remote authenticated user can create an app with a name such that a csv program can interpret into a formula and gets executed. The malicious user can possibly gain access to a usage report that requires a higher privilege.

Affected configurations

NVD

Node

pivotalapps_managerRange666.0.0–666.0.36

pivotalapps_managerRange667.0.0–667.0.22

pivotalapps_managerRange668.0.0–668.0.21

pivotalapps_managerRange669.0.0–669.0.13

pivotalapps_managerRange670.0.0–670.0.7

Node

pivotal_softwarepivotal_application_serviceRange2.3.0–2.3.18

pivotal_softwarepivotal_application_serviceRange2.4.0–2.4.14

pivotal_softwarepivotal_application_serviceRange2.5.0–2.5.1

pivotal_softwarepivotal_application_serviceRange2.6.0–2.6.5

CPENameOperatorVersion
pivotal:apps_managerpivotal apps managerlt666.0.36
pivotal:apps_managerpivotal apps managerlt667.0.22
pivotal:apps_managerpivotal apps managerlt668.0.21
pivotal:apps_managerpivotal apps managerlt669.0.13
pivotal:apps_managerpivotal apps managerlt670.0.7

CPE	Name	Operator	Version
pivotal:apps_manager	pivotal apps manager	lt	666.0.36
pivotal:apps_manager	pivotal apps manager	lt	667.0.22
pivotal:apps_manager	pivotal apps manager	lt	668.0.21
pivotal:apps_manager	pivotal apps manager	lt	669.0.13
pivotal:apps_manager	pivotal apps manager	lt	670.0.7

CNA Affected

[
  {
    "product": "Apps Manager",
    "vendor": "Pivotal",
    "versions": [
      {
        "lessThan": "670.0.7",
        "status": "affected",
        "version": "670",
        "versionType": "custom"
      },
      {
        "lessThan": "669.0.13",
        "status": "affected",
        "version": "669",
        "versionType": "custom"
      },
      {
        "lessThan": "668.0.21",
        "status": "affected",
        "version": "668",
        "versionType": "custom"
      },
      {
        "lessThan": "667.0.22",
        "status": "affected",
        "version": "667",
        "versionType": "custom"
      },
      {
        "lessThan": "666.0.36",
        "status": "affected",
        "version": "666",
        "versionType": "custom"
      }
    ]
  }
]

References

pivotal.io/security/cve-2019-11275

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

44.5%

JSON

Related for CVE-2019-11275

cvelist1 nvd1 symantec1 prion1