CVE-2018-1278 - OpenCVE

Apps Manager included in Pivotal Application Service, versions 1.12.x prior to 1.12.22, 2.0.x prior to 2.0.13, and 2.1.x prior to 2.1.4 contains an authorization enforcement vulnerability. A member of any org is able to create invitations to any org for which the org GUID can be discovered. Accepting this invitation gives unauthorized access to view the member list, domains, quotas and other information about the org.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Pivotal Software	Pivotal Application Service

Configuration 1 [-]

OR	cpe:2.3:a:pivotal_software:pivotal_application_service::::::::
	cpe:2.3:a:pivotal_software:pivotal_application_service::::::::
	cpe:2.3:a:pivotal_software:pivotal_application_service::::::::

References

Link	Resource
http://www.securityfocus.com/bid/104227	Third Party Advisory VDB Entry
https://pivotal.io/security/cve-2018-1278	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: dell

Published: 2018-05-10T00:00:00

Updated: 2018-05-22T13:57:01

Reserved: 2017-12-06T00:00:00

Link: CVE-2018-1278

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-05-11T20:29:00.463

Modified: 2019-10-03T00:03:26.223

Link: CVE-2018-1278

JSON object: View

Redhat Information

No data.

CWE

CWE-863

{"containers": {"cna": {"affected": [{"product": "Pivotal Application Service", "vendor": "Pivotal", "versions": [{"status": "affected", "version": "1.12.x prior to 1.12.22 and 2.0.x prior to 2.0.13 and 2.1.x prior to 2.1.4"}]}], "datePublic": "2018-05-10T00:00:00", "descriptions": [{"lang": "en", "value": "Apps Manager included in Pivotal Application Service, versions 1.12.x prior to 1.12.22, 2.0.x prior to 2.0.13, and 2.1.x prior to 2.1.4 contains an authorization enforcement vulnerability. A member of any org is able to create invitations to any org for which the org GUID can be discovered. Accepting this invitation gives unauthorized access to view the member list, domains, quotas and other information about the org."}], "problemTypes": [{"descriptions": [{"description": "Authorization Error", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-05-22T13:57:01", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://pivotal.io/security/cve-2018-1278"}, {"name": "104227", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/104227"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security_alert@emc.com", "DATE_PUBLIC": "2018-05-10T00:00:00", "ID": "CVE-2018-1278", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Pivotal Application Service", "version": {"version_data": [{"version_value": "1.12.x prior to 1.12.22 and 2.0.x prior to 2.0.13 and 2.1.x prior to 2.1.4"}]}}]}, "vendor_name": "Pivotal"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Apps Manager included in Pivotal Application Service, versions 1.12.x prior to 1.12.22, 2.0.x prior to 2.0.13, and 2.1.x prior to 2.1.4 contains an authorization enforcement vulnerability. A member of any org is able to create invitations to any org for which the org GUID can be discovered. Accepting this invitation gives unauthorized access to view the member list, domains, quotas and other information about the org."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Authorization Error"}]}]}, "references": {"reference_data": [{"name": "https://pivotal.io/security/cve-2018-1278", "refsource": "CONFIRM", "url": "https://pivotal.io/security/cve-2018-1278"}, {"name": "104227", "refsource": "BID", "url": "http://www.securityfocus.com/bid/104227"}]}}}}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2018-1278", "datePublished": "2018-05-10T00:00:00", "dateReserved": "2017-12-06T00:00:00", "dateUpdated": "2018-05-22T13:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pivotal_software:pivotal_application_service:*:*:*:*:*:*:*:*", "matchCriteriaId": "A4FDBD8A-FC66-4291-A6A5-FBE76D0ADD52", "versionEndExcluding": "1.12.22", "versionStartIncluding": "1.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pivotal_software:pivotal_application_service:*:*:*:*:*:*:*:*", "matchCriteriaId": "312F07C2-46FD-4BBB-AF1F-635D99F0B8D1", "versionEndExcluding": "2.0.13", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pivotal_software:pivotal_application_service:*:*:*:*:*:*:*:*", "matchCriteriaId": "FE5C77EB-057C-4044-8484-7ABCE9956805", "versionEndExcluding": "2.1.4", "versionStartIncluding": "2.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Apps Manager included in Pivotal Application Service, versions 1.12.x prior to 1.12.22, 2.0.x prior to 2.0.13, and 2.1.x prior to 2.1.4 contains an authorization enforcement vulnerability. A member of any org is able to create invitations to any org for which the org GUID can be discovered. Accepting this invitation gives unauthorized access to view the member list, domains, quotas and other information about the org."}, {"lang": "es", "value": "Apps Manager en Pivotal Application Service, en versiones 1.12.x anteriores a la 1.12.22, versiones 2.0.x anteriores a la 2.0.13 y versiones 2.1.x anteriores a la 2.1.4, contiene una vulnerabilidad de imposici\u00f3n de autorizaci\u00f3n. Un miembro de cualquier org puede crear invitaciones a cualquier org para la cual se puede descubrir la GUID de esta. Si se acepta esta invitaci\u00f3n, se otorga acceso no autorizado para ver la lista de miembros, dominios, cuotas y otro tipo de informaci\u00f3n sobre la org."}], "id": "CVE-2018-1278", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-05-11T20:29:00.463", "references": [{"source": "security_alert@emc.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/104227"}, {"source": "security_alert@emc.com", "tags": ["Vendor Advisory"], "url": "https://pivotal.io/security/cve-2018-1278"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}