CVE-2019-3787
Last modified
CVE-2019-3787 is a vulnerability of currently unknown severity. Cloud Foundry UAA, versions prior to 73.0.0, falls back to appending “unknown.org” to a user's email address when one is not provided and the user name does not contain an @ character. This domain is held by a private company, which leads to attack vectors including password recovery emails sent to a potentially fraudulent address. EPSS estimates a 1.10% chance of exploitation in the next 30 days.
Description
Cloud Foundry UAA, versions prior to 73.0.0, falls back to appending “unknown.org” to a user's email address when one is not provided and the user name does not contain an @ character. This domain is held by a private company, which leads to attack vectors including password recovery emails sent to a potentially fraudulent address. This would allow the attacker to gain complete control of the user's account.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Pivotal Software | Cloud Foundry Uaa-Release | < 73.0.0 |
References
- https://www.cloudfoundry.org/blog/cve-2019-3787Vendor Advisory
- https://www.cloudfoundry.org/blog/cve-2019-3787Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-3787?
How severe is CVE-2019-3787?
How do I fix CVE-2019-3787?
Are you affected by CVE-2019-3787?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST