CVE-2019-3787

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2019-3787

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-3787.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-3787

Published

2019-06-19T23:15:10.127Z

Modified

2026-04-10T04:18:05.713907Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Cloud Foundry UAA, versions prior to 73.0.0, falls back to appending “unknown.org” to a user's email address when one is not provided and the user name does not contain an @ character. This domain is held by a private company, which leads to attack vectors including password recovery emails sent to a potentially fraudulent address. This would allow the attacker to gain complete control of the user's account.

References

https://www.cloudfoundry.org/blog/cve-2019-3787

Affected packages

Git / github.com/cloudfoundry/uaa-release

Affected ranges

Type

GIT

Repo

https://github.com/cloudfoundry/uaa-release

Events

Introduced

Fixed

5f31da343f6ddde535e5b5aaa3df8d0a2feb1498

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "73.0.0"
        }
    ]
}

Affected versions

Other

ci-upgrade

v10

v11

v12

v14

v15

v16

v17

v18

v19

v20

v21

v22

v23

v24

v25

v26

v27

v31

v53

v55

v56

v57

v58

v59

v60

v12.*

v12.3

v61.*

v61.0

v62.*

v62.0

v63.*

v63.0

v64.*

v64.0

v66.*

v66.0

v67.*

v67.0

v68.*

v68.0

v69.*

v69.0

v70.*

v70.0

v71.*

v71.0

v72.*

v72.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-3787.json"