CVE-2019-3787: UAA defaults email address to an insecure domain
High
Pivotal Cloud Foundry
Pivotal Application Service (2.3.x versions prior to 2.3.14, 2.4.x versions prior to 2.4.10, 2.5.x versions prior to 2.5.7, and 2.6.x versions prior to 2.6.2), Pivotal Container Service (1.3.x versions prior to 1.3.8, and 1.4.x versions prior to 1.4.2), and Pivotal Ops Manager (2.3.x versions prior to 2.3.20, and 2.4.x versions prior to 2.4.14, 2.5.x versions prior to 2.5.10, and 2.6.x versions prior to 2.6.4), through their dependency on a vulnerable version of UAA (60.x versions prior to 60.14, 64.x versions prior to 64.2, and 66.x versions prior to 66.1, and 71.x versions prior to 71.1), falls back to appending "unknown.org" to a user's email address when one is not provided and the user name does not contain an @ character. This domain is held by a private company, which leads to attack vectors including password recovery emails sent to a potentially fraudulent address. This would allow an attacker to gain complete control of the user's account.
Severity is high unless otherwise noted.
- Pivotal Application Service (PAS)
- 2.3.x versions prior to 2.3.14
- 2.4.x versions prior to 2.4.10
- 2.5.x versions prior to 2.5.7
- 2.6 versions prior to 2.6.2
- Pivotal Container Service (PKS)
- 1.3.x versions prior to 1.3.8
- 1.4.x versions prior to 1.4.2
- Pivotal Ops Manager
- 2.3.x versions prior to 2.3.20
- 2.4.x versions prior to 2.4.14
- 2.5.x versions prior to 2.5.10
- 2.6.x versions prior to 2.6.4
- UAA Release
- v60.x versions prior to v60.14
- v64.x versions prior to v64.2
- v66.x versions prior to v66.1
- v71.x versions prior to v71.1
Users of affected versions should apply the following mitigation:
- Releases that have fixed this issue include:
- Pivotal Application Service (PAS)
- 2.3.14
- 2.4.10
- 2.5.7
- 2.6.2
- Pivotal Container Service
- 1.3.8
- 1.4.2
- Pivotal Ops Manager
- 2.3.20
- 2.4.14
- 2.5.10
- 2.6.4
- UAA Release
- v60.14
- v64.2
- v66.1
- v71.1
- Pivotal Application Service (PAS)
This vulnerability was responsibly reported by Kristian Kraljic from SAP.
- https://www.cloudfoundry.org/blog/cve-2019-3787/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3787
2019-08-20: Initial vulnerability report published
2019-09-26: Updated Affected version, Description and Mitigation section for PAS 2.3 release line
2019-12-13: Added PAS 2.6 fixed version.