Input validation error in Cloud Foundry UAA

#VU35705 Input validation error in Cloud Foundry UAA

Published: 2019-07-18 | Updated: 2020-08-08

Vulnerability identifier: #VU35705

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-3794

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Cloud Foundry UAA
Server applications / Web servers

Vendor: Cloud Foundry Foundation

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

Cloud Foundry UAA, versions prior to v73.4.0, does not set an X-FRAME-OPTIONS header on various endpoints. A remote user can perform clickjacking attacks on UAA's frontend sites.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Cloud Foundry UAA: 73.0.0 - 73.3.0

External links
http://www.cloudfoundry.org/blog/cve-2019-3794

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Input validation error in Cloud Foundry UAA