Privilege Escalation via Scope Manipulation in CF UAA

Privilege Escalation via Scope Manipulation in CF UAA

CVE-2019-11279 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CF UAA versions prior to 74.1.0 can request scopes for a client that shouldn't be allowed by submitting an array of requested scopes. A remote malicious user can escalate their own privileges to any scope, allowing them to take control of UAA and the resources it controls.

Learn more about our User Device Pen Test.