Is CVE-2019-11288 actively exploited?

CVE-2019-11288 has no public evidence of in-the-wild exploitation as of 2024-11-21.

What is the CVSS score for CVE-2019-11288?

CVE-2019-11288 has a CVSS score of 7 (HIGH severity). Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H.

How do I patch CVE-2019-11288?

Patch guidance is available from pivotal security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2019-11288.

Fix CVE-2019-11288 - HIGH pivotal tc runtimes

Q: Which products are affected by CVE-2019-11288?

5 products: pivotal tc runtimes, pivotal tc runtimes, pivotal tc runtimes, pivotal tc server, pivotal tc server.

Description

In Pivotal tc Server, 3.x versions prior to 3.2.19 and 4.x versions prior to 4.0.10, and Pivotal tc Runtimes, 7.x versions prior to 7.0.99.B, 8.x versions prior to 8.5.47.A, and 9.x versions prior to 9.0.27.A, when a tc Runtime instance is configured with the JMX Socket Listener, a local attacker without access to the tc Runtime process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the tc Runtime instance.

CVSS Metrics

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector: local
Complexity: high
Privileges: low
User Action: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high
Weaknesses: CWE-269 · Improper Privilege ManagementNVD-CWE-Other

Metadata

Primary Vendor: PIVOTAL
Published: 1/27/2020
Last Modified: 11/21/2024
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

pivotal : tc_runtimespivotal : tc_runtimespivotal : tc_runtimespivotal : tc_serverpivotal : tc_server

Remediation Guidance

Executive Summary

View on NIST NVD