Lucene search

[email protected]CVE-2019-3790

HistoryJun 06, 2019 - 7:29 p.m.

CVE-2019-3790

2019-06-0619:29:00

CWE-613

CWE-324

[email protected]

web.nvd.nist.gov

148

pivotal ops manager

cve-2019-3790

token expiration bypass

unauthorized access

nvd

5.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

5.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

35.5%

JSON

The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources.

Affected configurations

NVD

Node

pivotal_softwareoperations_managerRange2.2.0–2.2.23

pivotal_softwareoperations_managerRange2.3.0–2.3.16

pivotal_softwareoperations_managerRange2.4.0–2.4.11

pivotal_softwareoperations_managerRange2.5.0–2.5.3

CPENameOperatorVersion
pivotal_software:operations_managerpivotal software operations managerlt2.2.23
pivotal_software:operations_managerpivotal software operations managerlt2.3.16
pivotal_software:operations_managerpivotal software operations managerlt2.4.11
pivotal_software:operations_managerpivotal software operations managerlt2.5.3

CPE	Name	Operator	Version
pivotal_software:operations_manager	pivotal software operations manager	lt	2.2.23
pivotal_software:operations_manager	pivotal software operations manager	lt	2.3.16
pivotal_software:operations_manager	pivotal software operations manager	lt	2.4.11
pivotal_software:operations_manager	pivotal software operations manager	lt	2.5.3

CNA Affected

[
  {
    "product": "Pivotal Ops Manager",
    "vendor": "Pivotal",
    "versions": [
      {
        "lessThan": "2.3.16",
        "status": "affected",
        "version": "2.3",
        "versionType": "custom"
      },
      {
        "lessThan": "2.4.11",
        "status": "affected",
        "version": "2.4",
        "versionType": "custom"
      },
      {
        "lessThan": "2.2.23",
        "status": "affected",
        "version": "2.2",
        "versionType": "custom"
      },
      {
        "lessThan": "2.5.3",
        "status": "affected",
        "version": "2.5",
        "versionType": "custom"
      }
    ]
  }
]

References

www.securityfocus.com/bid/108512

pivotal.io/security/cve-2019-3790

5.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

5.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

35.5%

JSON

Related for CVE-2019-3790

cvelist1 prion1 nvd1