Vulnerabilities > CVE-2018-1278 - Incorrect Authorization vulnerability in Pivotal Software Pivotal Application Service

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

pivotal-software

CWE-863

NVD

Published: 2018-05-11

Updated: 2019-10-03

Summary

Apps Manager included in Pivotal Application Service, versions 1.12.x prior to 1.12.22, 2.0.x prior to 2.0.13, and 2.1.x prior to 2.1.4 contains an authorization enforcement vulnerability. A member of any org is able to create invitations to any org for which the org GUID can be discovered. Accepting this invitation gives unauthorized access to view the member list, domains, quotas and other information about the org.

Vulnerable Configurations

Part	Description	Count
Application	Pivotal_Software Pivotal Software Pivotal Application Service 1.12.0 Pivotal Software Pivotal Application Service 1.12.1 Pivotal Software Pivotal Application Service 1.12.2 Pivotal Software Pivotal Application Service 1.12.3 Pivotal Software Pivotal Application Service 1.12.4 Pivotal Software Pivotal Application Service 1.12.5 Pivotal Software Pivotal Application Service 1.12.6 Pivotal Software Pivotal Application Service 1.12.7 Pivotal Software Pivotal Application Service 1.12.8 Pivotal Software Pivotal Application Service 1.12.9 Pivotal Software Pivotal Application Service 1.12.10 Pivotal Software Pivotal Application Service 1.12.11 Pivotal Software Pivotal Application Service 1.12.12 Pivotal Software Pivotal Application Service 1.12.13 Pivotal Software Pivotal Application Service 1.12.14 Pivotal Software Pivotal Application Service 1.12.15 Pivotal Software Pivotal Application Service 1.12.16 Pivotal Software Pivotal Application Service 1.12.17 Pivotal Software Pivotal Application Service 1.12.18 Pivotal Software Pivotal Application Service 1.12.19 Pivotal Software Pivotal Application Service 1.12.20 Pivotal Software Pivotal Application Service 1.12.21 Pivotal Software Pivotal Application Service 2.0.0 Pivotal Software Pivotal Application Service 2.0.1 Pivotal Software Pivotal Application Service 2.0.2 Pivotal Software Pivotal Application Service 2.0.3 Pivotal Software Pivotal Application Service 2.0.4 Pivotal Software Pivotal Application Service 2.0.5 Pivotal Software Pivotal Application Service 2.0.6 Pivotal Software Pivotal Application Service 2.0.7 Pivotal Software Pivotal Application Service 2.0.8 Pivotal Software Pivotal Application Service 2.0.9 Pivotal Software Pivotal Application Service 2.0.10 Pivotal Software Pivotal Application Service 2.0.11 Pivotal Software Pivotal Application Service 2.0.12 Pivotal Software Pivotal Application Service 2.1.0 Pivotal Software Pivotal Application Service 2.1.1 Pivotal Software Pivotal Application Service 2.1.2 Pivotal Software Pivotal Application Service 2.1.3	39

Common Weakness Enumeration (CWE)

CWE-863 - Incorrect Authorization

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References