CVE-2019-11283 - OpenCVE

Cloud Foundry SMB Volume, versions prior to v2.0.3, accidentally outputs sensitive information to the logs. A remote user with access to the SMB Volume logs can discover the username and password for volumes that have been recently created, allowing the user to take control of the SMB Volume.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Cloudfoundry	Cf-deployment
Pivotal Software	Cloud Foundry Smb Volume

Configuration 1 [-]

cpe:2.3:a:cloudfoundry:cf-deployment:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:pivotal_software:cloud_foundry_smb_volume:*:*:*:*:*:*:*:*

References

Link	Resource
https://www.cloudfoundry.org/blog/cve-2019-11283	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: pivotal

Published: 2019-10-22T00:00:00

Updated: 2019-10-23T15:32:22

Reserved: 2019-04-18T00:00:00

Link: CVE-2019-11283

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-10-23T16:15:11.590

Modified: 2021-08-17T14:29:23.840

Link: CVE-2019-11283

JSON object: View

Redhat Information

No data.

CWE

CWE-532

{"containers": {"cna": {"affected": [{"product": "SMB Volume", "vendor": "Cloud Foundry", "versions": [{"lessThan": "v2.0.3", "status": "affected", "version": "All", "versionType": "custom"}]}, {"product": "CF Deployment", "vendor": "Cloud Foundry", "versions": [{"lessThan": "v12.2.0", "status": "affected", "version": "All", "versionType": "custom"}]}], "datePublic": "2019-10-22T00:00:00", "descriptions": [{"lang": "en", "value": "Cloud Foundry SMB Volume, versions prior to v2.0.3, accidentally outputs sensitive information to the logs. A remote user with access to the SMB Volume logs can discover the username and password for volumes that have been recently created, allowing the user to take control of the SMB Volume."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "description": "CWE-532: Inclusion of Sensitive Information in Log Files", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-10-23T15:32:22", "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03", "shortName": "pivotal"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.cloudfoundry.org/blog/cve-2019-11283"}], "source": {"discovery": "UNKNOWN"}, "title": "Password leak in smbdriver logs", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@pivotal.io", "DATE_PUBLIC": "2019-10-22T23:03:26.802Z", "ID": "CVE-2019-11283", "STATE": "PUBLIC", "TITLE": "Password leak in smbdriver logs"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SMB Volume", "version": {"version_data": [{"affected": "<", "version_affected": "<", "version_name": "All", "version_value": "v2.0.3"}]}}, {"product_name": "CF Deployment", "version": {"version_data": [{"affected": "<", "version_affected": "<", "version_name": "All", "version_value": "v12.2.0"}]}}]}, "vendor_name": "Cloud Foundry"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cloud Foundry SMB Volume, versions prior to v2.0.3, accidentally outputs sensitive information to the logs. A remote user with access to the SMB Volume logs can discover the username and password for volumes that have been recently created, allowing the user to take control of the SMB Volume."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-532: Inclusion of Sensitive Information in Log Files"}]}]}, "references": {"reference_data": [{"name": "https://www.cloudfoundry.org/blog/cve-2019-11283", "refsource": "CONFIRM", "url": "https://www.cloudfoundry.org/blog/cve-2019-11283"}]}, "source": {"discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03", "assignerShortName": "pivotal", "cveId": "CVE-2019-11283", "datePublished": "2019-10-22T00:00:00", "dateReserved": "2019-04-18T00:00:00", "dateUpdated": "2019-10-23T15:32:22", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cloudfoundry:cf-deployment:*:*:*:*:*:*:*:*", "matchCriteriaId": "32F2903C-37BF-4B89-BA89-664986DC9F8B", "versionEndExcluding": "12.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_smb_volume:*:*:*:*:*:*:*:*", "matchCriteriaId": "3588E44D-4FBC-4816-A2A0-342B1538F20C", "versionEndExcluding": "2.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Cloud Foundry SMB Volume, versions prior to v2.0.3, accidentally outputs sensitive information to the logs. A remote user with access to the SMB Volume logs can discover the username and password for volumes that have been recently created, allowing the user to take control of the SMB Volume."}, {"lang": "es", "value": "Cloud Foundry SMB Volume, versiones anteriores a v2.0.3, imprime accidentalmente informaci\u00f3n confidencial en los registros. Un usuario remoto con acceso a los registros de SMB Volume puede descubrir el nombre de usuario y la contrase\u00f1a de los vol\u00famenes que han sido dise\u00f1ado recientemente, permitiendo tomar el control de SMB Volume."}], "id": "CVE-2019-11283", "lastModified": "2021-08-17T14:29:23.840", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@pivotal.io", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-10-23T16:15:11.590", "references": [{"source": "security@pivotal.io", "tags": ["Vendor Advisory"], "url": "https://www.cloudfoundry.org/blog/cve-2019-11283"}], "sourceIdentifier": "security@pivotal.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-532"}], "source": "security@pivotal.io", "type": "Secondary"}]}