8.4
CVE-2019-11277
- EPSS 0.88%
- Veröffentlicht 23.09.2019 18:15:11
- Zuletzt bearbeitet 21.11.2024 04:20:50
- Quelle security@pivotal.io
- CVE-Watchlists
- Unerledigt
LoginVolume Services is vulnerable to an LDAP injection attack
Cloud Foundry NFS Volume Service, 1.7.x versions prior to 1.7.11 and 2.x versions prior to 2.3.0, is vulnerable to LDAP injection. A remote authenticated malicious space developer can potentially inject LDAP filters via service instance creation, facilitating the malicious space developer to deny service or perform a dictionary attack.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Cloudfoundry ≫ Cf-deployment Version < 11.1.0
Cloudfoundry ≫ Nfs Volume Release Version >= 1.7.0 < 1.7.11
Cloudfoundry ≫ Nfs Volume Release Version >= 2.0.0 < 2.3.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.88% | 0.748 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.1 | 2.8 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
|
| nvd@nist.gov | 5.5 | 8 | 4.9 |
AV:N/AC:L/Au:S/C:P/I:N/A:P
|
| security@pivotal.io | 8.4 | 1.8 | 6 |
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
|
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.