Vulnerability Details : CVE-2019-11275
Pivotal Application Manager, versions 666.0.x prior to 666.0.36, versions 667.0.x prior to 667.0.22, versions 668.0.x prior to 668.0.21, versions 669.0.x prior to 669.0.13, and versions 670.0.x prior to 670.0.7, contain a vulnerability where a remote authenticated user can create an app with a name such that a csv program can interpret into a formula and gets executed. The malicious user can possibly gain access to a usage report that requires a higher privilege.
Products affected by CVE-2019-11275
- cpe:2.3:a:pivotal:apps_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal:apps_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal:apps_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal:apps_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal:apps_manager:*:*:*:*:*:*:*:*
- Pivotal Software » Pivotal Application ServiceVersions from including (>=) 2.4.0 and up to, including, (<=) 2.4.14cpe:2.3:a:pivotal_software:pivotal_application_service:*:*:*:*:*:*:*:*
- Pivotal Software » Pivotal Application ServiceVersions from including (>=) 2.5.0 and up to, including, (<=) 2.5.1cpe:2.3:a:pivotal_software:pivotal_application_service:*:*:*:*:*:*:*:*
- Pivotal Software » Pivotal Application ServiceVersions from including (>=) 2.6.0 and up to, including, (<=) 2.6.5cpe:2.3:a:pivotal_software:pivotal_application_service:*:*:*:*:*:*:*:*
- Pivotal Software » Pivotal Application ServiceVersions from including (>=) 2.3.0 and up to, including, (<=) 2.3.18cpe:2.3:a:pivotal_software:pivotal_application_service:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-11275
0.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 43 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-11275
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST | |
3.5
|
LOW | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N |
2.1
|
1.4
|
Pivotal Software, Inc. | |
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
2.8
|
1.4
|
NIST |
CWE ids for CVE-2019-11275
-
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Assigned by: security@pivotal.io (Secondary)
-
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-11275
-
https://pivotal.io/security/cve-2019-11275
CVE-2019-11275: CSV Injection in the PAS usage report | Security | PivotalVendor Advisory
Jump to