Vulnerability Details : CVE-2018-1278
Apps Manager included in Pivotal Application Service, versions 1.12.x prior to 1.12.22, 2.0.x prior to 2.0.13, and 2.1.x prior to 2.1.4 contains an authorization enforcement vulnerability. A member of any org is able to create invitations to any org for which the org GUID can be discovered. Accepting this invitation gives unauthorized access to view the member list, domains, quotas and other information about the org.
Vulnerability category: Bypass
Products affected by CVE-2018-1278
- Pivotal Software » Pivotal Application ServiceVersions from including (>=) 2.0.0 and before (<) 2.0.13cpe:2.3:a:pivotal_software:pivotal_application_service:*:*:*:*:*:*:*:*
- Pivotal Software » Pivotal Application ServiceVersions from including (>=) 1.12.0 and before (<) 1.12.22cpe:2.3:a:pivotal_software:pivotal_application_service:*:*:*:*:*:*:*:*
- Pivotal Software » Pivotal Application ServiceVersions from including (>=) 2.1.0 and before (<) 2.1.4cpe:2.3:a:pivotal_software:pivotal_application_service:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-1278
0.13%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 47 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-1278
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2018-1278
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-1278
-
https://pivotal.io/security/cve-2018-1278
CVE-2018-1278: Apps Manager allows unauthorized org invitations | Security | PivotalVendor Advisory
-
http://www.securityfocus.com/bid/104227
Pivotal Application Service CVE-2018-1278 Security Bypass VulnerabilityThird Party Advisory;VDB Entry
Jump to