CVE-2019-11290

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2019-11290

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-11290.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-11290

Published

2019-11-26T00:15:11.547Z

Modified

2026-04-10T04:14:10.956370Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Cloud Foundry UAA Release, versions prior to v74.8.0, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well.

References

https://www.cloudfoundry.org/blog/cve-2019-11290

Affected packages

Git / github.com/cloudfoundry/cf-deployment

Affected ranges

Type

GIT

Repo

https://github.com/cloudfoundry/cf-deployment

Events

Introduced

Fixed

5352c2bf4b508086379b4b2cd372a6feb71e41b9

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "12.10.0"
        }
    ]
}

Type

GIT

Repo

https://github.com/cloudfoundry/uaa

Events

Introduced

Fixed

0c35faeee660ed1cebd137427cf6d34e0939394f

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "74.8.0"
        }
    ]
}

Affected versions

1.*

1.0.1

1.0.3

1.1

1.1.1

1.1.2

1.2.0

1.2.6

1.4.0

1.4.1

1.4.2

1.4.3

1.4.5

1.4.6

1.4.7

1.5.0

1.5.2

1.5.2.1

1.5.3

1.5.4

1.5.4.1

1.6.1

1.6.2

1.8.0

4.*

4.10.0

4.11.0

4.12.0

4.15.0

4.16.0

4.17.0

4.18.0

4.19.0

4.20.0

4.21.0

4.22.0

4.23.0

4.24.0

4.25.0

4.26.0

4.27.0

4.28.0

4.29.0

4.30.0

4.31.0

4.35.0

4.9.0

releases/4.*

releases/4.15.0

Other

travis-success-1475

travis-success-1478

travis-success-1497

v0.*

v0.0.0

v0.0.1

v0.0.2

v0.1.0

v0.10.0

v0.11.0

v0.12.0

v0.13.0

v0.14.0

v0.15.0

v0.2.0

v0.2.1

v0.2.2

v0.28.0

v0.29.0

v0.3.0

v0.30.0

v0.31.0

v0.32.0

v0.33.0

v0.34.0

v0.35.0

v0.36.0

v0.37.0

v0.5.0

v0.7.0

v0.8.0

v0.9.0

v0.9.1

v1.*

v1.0.0

v1.1.0

v1.10.0

v1.11.0

v1.12.0

v1.13.0

v1.14.0

v1.15.0

v1.16.0

v1.17.0

v1.18.0

v1.19.0

v1.2.0

v1.20.0

v1.21.0

v1.22.0

v1.23.0

v1.24.0

v1.25.0

v1.26.0

v1.27.0

v1.28.0

v1.29.0

v1.3.0

v1.30.0

v1.31.0

v1.32.0

v1.33.0

v1.34.0

v1.35.0

v1.36.0

v1.37.0

v1.38.0

v1.4.0

v1.5.0

v1.6.0

v1.7.0

v1.8.0

v1.9.0

v10.*

v10.0.0

v10.1.0

v11.*

v11.0.0

v11.1.0

v11.2.0

v12.*

v12.0.0

v12.1.0

v12.2.0

v12.3.0

v12.4.0

v12.5.0

v12.6.0

v12.7.0

v12.8.0

v12.9.0

v2.*

v2.0.0

v2.1.0

v2.2.0

v2.3.0

v2.4.0

v2.5.0

v3.*

v3.0.0

v3.1.0

v3.2.0

v3.3.0

v3.4.0

v3.5.0

v3.6.0

v4.*

v4.0.0

v4.1.0

v4.2.0

v4.3.0

v4.4.0

v4.5.0

v5.*

v5.0.0

v5.1.0

v5.3.0

v5.4.0

v5.5.0

v6.*

v6.0.0

v6.1.0

v6.10.0

v6.2.0

v6.3.0

v6.4.0

v6.5.0

v6.6.0

v6.7.0

v6.8.0

v6.9.0

v7.*

v7.0.0

v7.1.0

v7.2.0

v7.3.0

v7.4.0

v7.5.0

v7.6.0

v7.8.0

v7.9.0

v73.*

v73.7.0

v74.*

v74.0.0

v74.1.0

v74.2.0

v74.3.0

v74.4.0

v74.5.0

v74.6.0

v74.7.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-11290.json"