Lucene search

DellCVELIST:CVE-2019-3790

HistoryJun 06, 2019 - 7:16 p.m.

CVE-2019-3790 Ops Manager uaa client issues tokens after refresh token expiration

2019-06-0619:16:16

CWE-324

dell

www.cve.org

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

AI Score

6.2

Confidence

High

EPSS

0.001

Percentile

35.3%

JSON

The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources.

CNA Affected

[
  {
    "product": "Pivotal Ops Manager",
    "vendor": "Pivotal",
    "versions": [
      {
        "lessThan": "2.3.16",
        "status": "affected",
        "version": "2.3",
        "versionType": "custom"
      },
      {
        "lessThan": "2.4.11",
        "status": "affected",
        "version": "2.4",
        "versionType": "custom"
      },
      {
        "lessThan": "2.2.23",
        "status": "affected",
        "version": "2.2",
        "versionType": "custom"
      },
      {
        "lessThan": "2.5.3",
        "status": "affected",
        "version": "2.5",
        "versionType": "custom"
      }
    ]
  }
]

References

www.securityfocus.com/bid/108512

pivotal.io/security/cve-2019-3790

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

AI Score

6.2

Confidence

High

EPSS

0.001

Percentile

35.3%

JSON

Related for CVELIST:CVE-2019-3790