CVE-2019-11283

Cloud Foundry SMB Volume, versions prior to v2.0.3, accidentally outputs sensitive information to the logs. A remote user with access to the SMB Volume logs can discover the username and password for volumes that have been recently created, allowing the user to take control of the SMB Volume.

CVSS v3 8.8 HIGH
CVSS v2.0 4.0 MEDIUM

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://www.cloudfoundry.org/blog/cve-2019-11283	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:cloudfoundry:cf-deployment:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:pivotal_software:cloud_foundry_smb_volume:*:*:*:*:*:*:*:*

History

17 Aug 2021, 14:29

Type	Values Removed	Values Added
CPE	cpe:2.3:a:pivotal_software:cloud_foundry_cf-deployment::::::::	cpe:2.3:a:cloudfoundry:cf-deployment::::::::

Information

Published : 2019-10-23 16:15

Updated : 2023-12-10 13:13

NVD link : CVE-2019-11283

Mitre link : CVE-2019-11283

CVE.ORG link : CVE-2019-11283

JSON object : View

Products Affected

cloudfoundry

cf-deployment

pivotal_software

cloud_foundry_smb_volume

CWE

CWE-532

Insertion of Sensitive Information into Log File

{"id": "CVE-2019-11283", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "security@pivotal.io", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2019-10-23T16:15:11.590", "references": [{"url": "https://www.cloudfoundry.org/blog/cve-2019-11283", "tags": ["Vendor Advisory"], "source": "security@pivotal.io"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-532"}]}, {"type": "Secondary", "source": "security@pivotal.io", "description": [{"lang": "en", "value": "CWE-532"}]}], "descriptions": [{"lang": "en", "value": "Cloud Foundry SMB Volume, versions prior to v2.0.3, accidentally outputs sensitive information to the logs. A remote user with access to the SMB Volume logs can discover the username and password for volumes that have been recently created, allowing the user to take control of the SMB Volume."}, {"lang": "es", "value": "Cloud Foundry SMB Volume, versiones anteriores a v2.0.3, imprime accidentalmente informaci\u00f3n confidencial en los registros. Un usuario remoto con acceso a los registros de SMB Volume puede descubrir el nombre de usuario y la contrase\u00f1a de los vol\u00famenes que han sido dise\u00f1ado recientemente, permitiendo tomar el control de SMB Volume."}], "lastModified": "2021-08-17T14:29:23.840", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cloudfoundry:cf-deployment:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "32F2903C-37BF-4B89-BA89-664986DC9F8B", "versionEndExcluding": "12.2.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_smb_volume:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3588E44D-4FBC-4816-A2A0-342B1538F20C", "versionEndExcluding": "2.0.3"}], "operator": "OR"}]}], "sourceIdentifier": "security@pivotal.io"}