Authentication flaw

2016-09-1802:59:00

PRIOn knowledge base

www.prio-n.com

7.5 High

AI Score

Confidence

Low

0.006 Low

EPSS

Percentile

78.3%

JSON

Pivotal Cloud Foundry (PCF) Ops Manager before 1.5.14 and 1.6.x before 1.6.9 uses the same cookie-encryption key across different customers’ installations, which allows remote attackers to bypass session authentication by leveraging knowledge of this key from another installation.

CPENameOperatorVersion
operations_managereq1.6.4
operations_managereq1.6.3
operations_managerle1.5.13
operations_managereq1.6.1
operations_managereq1.6.6
operations_managereq1.6.0
operations_managereq1.6.7
operations_managereq1.6.5
operations_managereq1.6.2
operations_managereq1.6.8

Name	Operator	Version
operations_manager	eq	1.6.4
operations_manager	eq	1.6.3
operations_manager	le	1.5.13
operations_manager	eq	1.6.1
operations_manager	eq	1.6.6
operations_manager	eq	1.6.0
operations_manager	eq	1.6.7
operations_manager	eq	1.6.5
operations_manager	eq	1.6.2
operations_manager	eq	1.6.8

References

pivotal.io/security/pcf-ops-manager-weak-authentication-scheme