CVE-2019-11288
tcServer JMX Socket Listener Registry Rebinding Local Privilege Escalation
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 7.3EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
27 Jan 2020Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
In Pivotal tc Server, 3.x versions prior to 3.2.19 and 4.x versions prior to 4.0.10, and Pivotal tc Runtimes, 7.x versions prior to 7.0.99.B, 8.x versions prior to 8.5.47.A, and 9.x versions prior to 9.0.27.A, when a tc Runtime instance is configured with the JMX Socket Listener, a local attacker without access to the tc Runtime process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the tc Runtime instance.
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Affected products
Pivotal · Pivotal tc Server 3.xPivotal · Pivotal tc Server 3.x RuntimesPivotal · Pivotal tc Server 4.xPivotal · Pivotal tc Server 4.x RuntimesWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →