CVE-2019-11294 - OpenCVE

Cloud Foundry Cloud Controller API (CAPI), version 1.88.0, allows space developers to list all global service brokers, including service broker URLs and GUIDs, which should only be accessible to admins.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Cloudfoundry	Capi-release Cf-deployment

Configuration 1 [-]

OR	cpe:2.3:a:cloudfoundry:capi-release:1.88.0:::::::*
	cpe:2.3:a:cloudfoundry:cf-deployment::::::::

References

Link	Resource
https://www.cloudfoundry.org/blog/cve-2019-11294	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: pivotal

Published: 2019-12-19T00:00:00

Updated: 2019-12-19T19:35:11

Reserved: 2019-04-18T00:00:00

Link: CVE-2019-11294

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-12-19T20:15:12.347

Modified: 2021-08-17T15:30:24.957

Link: CVE-2019-11294

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "CAPI", "vendor": "Cloud Foundry", "versions": [{"status": "affected", "version": "1.88.0"}]}], "datePublic": "2019-12-19T00:00:00", "descriptions": [{"lang": "en", "value": "Cloud Foundry Cloud Controller API (CAPI), version 1.88.0, allows space developers to list all global service brokers, including service broker URLs and GUIDs, which should only be accessible to admins."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200: Information Exposure", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-12-19T19:35:11", "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03", "shortName": "pivotal"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.cloudfoundry.org/blog/cve-2019-11294"}], "source": {"discovery": "UNKNOWN"}, "title": "CAPI leaks service broker URLs and GUIDs to space developers", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@pivotal.io", "DATE_PUBLIC": "2019-12-19T00:00:00.000Z", "ID": "CVE-2019-11294", "STATE": "PUBLIC", "TITLE": "CAPI leaks service broker URLs and GUIDs to space developers"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "CAPI", "version": {"version_data": [{"affected": "=", "version_affected": "=", "version_value": "1.88.0"}]}}]}, "vendor_name": "Cloud Foundry"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cloud Foundry Cloud Controller API (CAPI), version 1.88.0, allows space developers to list all global service brokers, including service broker URLs and GUIDs, which should only be accessible to admins."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200: Information Exposure"}]}]}, "references": {"reference_data": [{"name": "https://www.cloudfoundry.org/blog/cve-2019-11294", "refsource": "CONFIRM", "url": "https://www.cloudfoundry.org/blog/cve-2019-11294"}]}, "source": {"discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03", "assignerShortName": "pivotal", "cveId": "CVE-2019-11294", "datePublished": "2019-12-19T00:00:00", "dateReserved": "2019-04-18T00:00:00", "dateUpdated": "2019-12-19T19:35:11", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cloudfoundry:capi-release:1.88.0:*:*:*:*:*:*:*", "matchCriteriaId": "7B8FCBF2-913A-4149-B89E-96770709A73B", "vulnerable": true}, {"criteria": "cpe:2.3:a:cloudfoundry:cf-deployment:*:*:*:*:*:*:*:*", "matchCriteriaId": "6782152F-8BE6-48DC-9A7A-6F0F5533E89D", "versionEndExcluding": "12.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Cloud Foundry Cloud Controller API (CAPI), version 1.88.0, allows space developers to list all global service brokers, including service broker URLs and GUIDs, which should only be accessible to admins."}, {"lang": "es", "value": "Cloud Foundry Cloud Controller API (CAPI), versi\u00f3n 1.88.0, permite a los desarrolladores de espacio enumerar a todos los brokers de servicios globales, incluyendo las URL y los GUID de los intermediarios de servicios, que solo deben ser accesibles para administradores."}], "id": "CVE-2019-11294", "lastModified": "2021-08-17T15:30:24.957", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@pivotal.io", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-12-19T20:15:12.347", "references": [{"source": "security@pivotal.io", "tags": ["Vendor Advisory"], "url": "https://www.cloudfoundry.org/blog/cve-2019-11294"}], "sourceIdentifier": "security@pivotal.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@pivotal.io", "type": "Secondary"}]}