4.3
CVE-2019-11275
- EPSS 0.2%
- Published 01.10.2019 15:15:11
- Last modified 21.11.2024 04:20:50
- Source security@pivotal.io
- Teams watchlist Login
- Open Login
Pivotal Application Manager, versions 666.0.x prior to 666.0.36, versions 667.0.x prior to 667.0.22, versions 668.0.x prior to 668.0.21, versions 669.0.x prior to 669.0.13, and versions 670.0.x prior to 670.0.7, contain a vulnerability where a remote authenticated user can create an app with a name such that a csv program can interpret into a formula and gets executed. The malicious user can possibly gain access to a usage report that requires a higher privilege.
Data is provided by the National Vulnerability Database (NVD)
Pivotal ≫ Apps Manager Version >= 666.0.0 < 666.0.36
Pivotal ≫ Apps Manager Version >= 667.0.0 < 667.0.22
Pivotal ≫ Apps Manager Version >= 668.0.0 < 668.0.21
Pivotal ≫ Apps Manager Version >= 669.0.0 < 669.0.13
Pivotal ≫ Apps Manager Version >= 670.0.0 < 670.0.7
Pivotal Software ≫ Pivotal Application Service Version >= 2.3.0 <= 2.3.18
Pivotal Software ≫ Pivotal Application Service Version >= 2.4.0 <= 2.4.14
Pivotal Software ≫ Pivotal Application Service Version >= 2.5.0 <= 2.5.1
Pivotal Software ≫ Pivotal Application Service Version >= 2.6.0 <= 2.6.5
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.2% | 0.394 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
|
| nvd@nist.gov | 4 | 8 | 2.9 |
AV:N/AC:L/Au:S/C:P/I:N/A:N
|
| security@pivotal.io | 3.5 | 2.1 | 1.4 |
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
|
CWE-1236 Improper Neutralization of Formula Elements in a CSV File
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.