Vulnerabilites related to pivotal_software - application_service
Vulnerability from fkie_nvd
Published
2019-03-07 18:29
Modified
2024-11-21 04:42
Severity ?
8.0 (High) - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
9.8 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Pivotal Application Service (PAS), versions 2.2.x prior to 2.2.12, 2.3.x prior to 2.3.7 and 2.4.x prior to 2.4.3, contain apps manager that uses a cloud controller proxy that fails to verify SSL certs. A remote unauthenticated attacker that could hijack the Cloud Controller's DNS record could intercept access tokens sent to the Cloud Controller, giving the attacker access to the user's resources in the Cloud Controller
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security_alert@emc.com | http://www.securityfocus.com/bid/107214 | Third Party Advisory, VDB Entry | |
| security_alert@emc.com | https://pivotal.io/security/cve-2019-3777 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/107214 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pivotal.io/security/cve-2019-3777 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pivotal_software | application_service | * | |
| pivotal_software | application_service | * | |
| pivotal_software | application_service | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal_software:application_service:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BBC2696F-F573-4358-9759-E283D2B83209",
"versionEndExcluding": "2.2.12",
"versionStartIncluding": "2.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:application_service:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A6B5D54C-7448-4B56-9238-316A1338A874",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:application_service:*:*:*:*:*:*:*:*",
"matchCriteriaId": "93EDD2F1-9A14-473E-A082-E1AD1DCA943D",
"versionEndExcluding": "2.4.3",
"versionStartIncluding": "2.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pivotal Application Service (PAS), versions 2.2.x prior to 2.2.12, 2.3.x prior to 2.3.7 and 2.4.x prior to 2.4.3, contain apps manager that uses a cloud controller proxy that fails to verify SSL certs. A remote unauthenticated attacker that could hijack the Cloud Controller\u0027s DNS record could intercept access tokens sent to the Cloud Controller, giving the attacker access to the user\u0027s resources in the Cloud Controller"
},
{
"lang": "es",
"value": "Pivotal Application Service (PAS), en las versiones 2.2.x anteriores a la 2.2.12, en las 2.3.x anteriores a la 2.3.7 y en las 2.4.x anteriores a la 2.4.3, contiene un gestor de aplicaciones que utiliza un proxy de controlador cloud que no verifica los certificados SSL de manera correcta. Un atacante remoto no autenticado capaz de secuestrar el registro DNS del controlador Cloud podr\u00eda interceptar los tokens de acceso enviados al controlador Cloud, proporcionando al atacante el acceso a los recursos del usuario en dicho controlador."
}
],
"id": "CVE-2019-3777",
"lastModified": "2024-11-21T04:42:31.303",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 5.8,
"source": "security_alert@emc.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-03-07T18:29:00.447",
"references": [
{
"source": "security_alert@emc.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/107214"
},
{
"source": "security_alert@emc.com",
"tags": [
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2019-3777"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/107214"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2019-3777"
}
],
"sourceIdentifier": "security_alert@emc.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "security_alert@emc.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-04-24 16:29
Modified
2024-11-21 04:42
Severity ?
Summary
Pivotal Apps Manager Release, versions 665.0.x prior to 665.0.28, versions 666.0.x prior to 666.0.21, versions 667.0.x prior to 667.0.7, contain an invitation service that accepts HTTP. A remote unauthenticated user could listen to network traffic and gain access to the authorization credentials used to make the invitation requests.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security_alert@emc.com | https://pivotal.io/security/cve-2019-3793 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pivotal.io/security/cve-2019-3793 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pivotal_software | application_service | * | |
| pivotal_software | application_service | * | |
| pivotal_software | application_service | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal_software:application_service:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C4F17699-1932-4F14-BEF7-AC2D5D092989",
"versionEndExcluding": "665.0.28",
"versionStartIncluding": "665.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:application_service:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E7B2C158-F820-49E4-9ABE-E8FA5D3D58F5",
"versionEndExcluding": "666.0.21",
"versionStartIncluding": "666.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:application_service:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AC17B9B3-C740-49DA-9DB2-BB29CBB0A2C0",
"versionEndExcluding": "667.0.7",
"versionStartIncluding": "667.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pivotal Apps Manager Release, versions 665.0.x prior to 665.0.28, versions 666.0.x prior to 666.0.21, versions 667.0.x prior to 667.0.7, contain an invitation service that accepts HTTP. A remote unauthenticated user could listen to network traffic and gain access to the authorization credentials used to make the invitation requests."
},
{
"lang": "es",
"value": "Pivotal Apps Manager Release, versiones 665.0.x anteriores a 665.0.28, versiones 666.0.x anteriores a 666.0.21, versiones 667.0.x anteriores a 667.0.7, presentan un servicio de invitaci\u00f3n que acepta HTTP. Un usuario remoto no autenticado podr\u00eda captar el tr\u00e1fico de la red y lograr acceso a las credenciales de autorizaci\u00f3n usadas para realizar las solicitudes de invitaci\u00f3n."
}
],
"id": "CVE-2019-3793",
"lastModified": "2024-11-21T04:42:33.183",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "security_alert@emc.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-04-24T16:29:02.263",
"references": [
{
"source": "security_alert@emc.com",
"tags": [
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2019-3793"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2019-3793"
}
],
"sourceIdentifier": "security_alert@emc.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-300"
}
],
"source": "security_alert@emc.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-319"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-08-19 15:15
Modified
2024-11-21 04:20
Severity ?
Summary
Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.16, 2.4.x prior to 2.4.12, 2.5.x prior to 2.5.8, and 2.6.x prior to 2.6.3, makes a request to the /cloudapplication endpoint via Spring actuator, and subsequent requests via unsecured http. An adjacent unauthenticated user could eavesdrop on the network traffic and gain access to the unencrypted token allowing the attacker to read the type of access a user has over an app. They may also modify the logging level, potentially leading to lost information that would otherwise have been logged.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@pivotal.io | https://pivotal.io/security/cve-2019-11276 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pivotal.io/security/cve-2019-11276 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pivotal_software | application_service | * | |
| pivotal_software | application_service | * | |
| pivotal_software | application_service | * | |
| pivotal_software | application_service | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal_software:application_service:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BAFBBB99-898B-42F2-AE5C-5807F51FEE73",
"versionEndExcluding": "2.3.16",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:application_service:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B12C041E-2AC9-44AB-9526-8888C717DEF4",
"versionEndExcluding": "2.4.12",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:application_service:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DE83BAAB-D83A-4E7B-8E65-946A11F314B4",
"versionEndExcluding": "2.5.8",
"versionStartIncluding": "2.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:application_service:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8822F855-AAF9-41E6-A2F7-A34195A3998B",
"versionEndExcluding": "2.6.3",
"versionStartIncluding": "2.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.16, 2.4.x prior to 2.4.12, 2.5.x prior to 2.5.8, and 2.6.x prior to 2.6.3, makes a request to the /cloudapplication endpoint via Spring actuator, and subsequent requests via unsecured http. An adjacent unauthenticated user could eavesdrop on the network traffic and gain access to the unencrypted token allowing the attacker to read the type of access a user has over an app. They may also modify the logging level, potentially leading to lost information that would otherwise have been logged."
},
{
"lang": "es",
"value": "Pivotal Apps Manager, incluido en Pivotal Application Service versiones 2.3.x anteriores a 2.3.16, versiones 2.4.x anteriores a 2.4.12, versiones 2.5.x anteriores a 2.5.8, y versiones 2.6.x anteriores a 2.6.3, realiza una petici\u00f3n al endpoint /cloudapplication por medio del actuador Spring, y las peticiones subsiguientes por medio de http no asegurado. Un usuario no autenticado adyacente podr\u00eda detectar el tr\u00e1fico de la red y conseguir acceso al token no cifrado que permite al atacante leer el tipo de acceso que presenta un usuario por medio de una aplicaci\u00f3n. Tambi\u00e9n pueden modificar el nivel de registro, lo que podr\u00eda conllevar a la p\u00e9rdida de informaci\u00f3n que de otra manera se habr\u00eda registrado."
}
],
"id": "CVE-2019-11276",
"lastModified": "2024-11-21T04:20:50.153",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "security@pivotal.io",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-19T15:15:11.280",
"references": [
{
"source": "security@pivotal.io",
"tags": [
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2019-11276"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2019-11276"
}
],
"sourceIdentifier": "security@pivotal.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-319"
}
],
"source": "security@pivotal.io",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-319"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-08-05 17:15
Modified
2024-11-21 04:20
Severity ?
Summary
Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' and create clients with arbitrary scopes that the creator does not possess.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal_software:application_service:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EA028AB4-A389-41D4-997B-23DD70DC3025",
"versionEndExcluding": "2.3.15",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:application_service:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9103B5F4-870C-4629-871D-25DB2C96E6C6",
"versionEndExcluding": "2.4.11",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:application_service:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF7BA0B1-9C33-42F1-8ACA-6AE2EAC13F5B",
"versionEndExcluding": "2.5.7",
"versionStartIncluding": "2.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:application_service:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C687BD70-0109-4798-9B9D-C7BD35D601D5",
"versionEndExcluding": "2.6.2",
"versionStartIncluding": "2.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_uaa:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9D95746D-026A-4B5A-BEDF-3218F10AF7F0",
"versionEndExcluding": "73.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:operations_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AA8501AB-24B2-4A92-AEDD-2EE7CD852DB5",
"versionEndExcluding": "2.3.22",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:operations_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CB30A404-6A76-4226-A224-12B6A8131A38",
"versionEndExcluding": "2.4.16",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:operations_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6F0C15A4-76D8-4740-B5F6-70607C83A5DA",
"versionEndExcluding": "2.5.10",
"versionStartIncluding": "2.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:operations_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F0AF17FF-40DC-4FC6-B89B-4AE8C1372FD8",
"versionEndExcluding": "2.6.4",
"versionStartIncluding": "2.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the \u0027clients.write\u0027 authority or scope can bypass the restrictions imposed on clients created via \u0027clients.write\u0027 and create clients with arbitrary scopes that the creator does not possess."
},
{
"lang": "es",
"value": "Cloud Foundry UAA versiones anteriores a v73.4.0, contienen una vulnerabilidad en la que un cliente malicioso bajo posesi\u00f3n de la autoridad o el alcance \"clients.write\" puede omitir las restricciones impuestas a los clientes creados por medio de \"clients.write\" y crear clientes con alcances arbitrarios que no poseen."
}
],
"id": "CVE-2019-11270",
"lastModified": "2024-11-21T04:20:49.487",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.0,
"impactScore": 5.8,
"source": "security@pivotal.io",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-05T17:15:10.820",
"references": [
{
"source": "security@pivotal.io",
"tags": [
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2019-11270"
},
{
"source": "security@pivotal.io",
"tags": [
"Vendor Advisory"
],
"url": "https://www.cloudfoundry.org/blog/cve-2019-11270"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2019-11270"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.cloudfoundry.org/blog/cve-2019-11270"
}
],
"sourceIdentifier": "security@pivotal.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "security@pivotal.io",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2019-3793
Vulnerability from cvelistv5
Published
2019-04-24 15:21
Modified
2024-09-17 02:42
Severity ?
EPSS score ?
Summary
Pivotal Apps Manager Release, versions 665.0.x prior to 665.0.28, versions 666.0.x prior to 666.0.21, versions 667.0.x prior to 667.0.7, contain an invitation service that accepts HTTP. A remote unauthenticated user could listen to network traffic and gain access to the authorization credentials used to make the invitation requests.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pivotal.io/security/cve-2019-3793 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Pivotal | Apps Manager |
Version: 666 < 666.0.21 Version: 667 < 667.0.7 Version: 665 < 665.0.28 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:19:18.225Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2019-3793"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apps Manager",
"vendor": "Pivotal",
"versions": [
{
"lessThan": "666.0.21",
"status": "affected",
"version": "666",
"versionType": "custom"
},
{
"lessThan": "667.0.7",
"status": "affected",
"version": "667",
"versionType": "custom"
},
{
"lessThan": "665.0.28",
"status": "affected",
"version": "665",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-04-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Pivotal Apps Manager Release, versions 665.0.x prior to 665.0.28, versions 666.0.x prior to 666.0.21, versions 667.0.x prior to 667.0.7, contain an invitation service that accepts HTTP. A remote unauthenticated user could listen to network traffic and gain access to the authorization credentials used to make the invitation requests."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-300",
"description": "CWE-300: Man-in-the-Middle",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-24T15:21:10",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2019-3793"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Invitations Service supports HTTP connections",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security_alert@emc.com",
"DATE_PUBLIC": "2019-04-16T15:45:27.000Z",
"ID": "CVE-2019-3793",
"STATE": "PUBLIC",
"TITLE": "Invitations Service supports HTTP connections"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apps Manager",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "666",
"version_value": "666.0.21"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "667",
"version_value": "667.0.7"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "665",
"version_value": "665.0.28"
}
]
}
}
]
},
"vendor_name": "Pivotal"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pivotal Apps Manager Release, versions 665.0.x prior to 665.0.28, versions 666.0.x prior to 666.0.21, versions 667.0.x prior to 667.0.7, contain an invitation service that accepts HTTP. A remote unauthenticated user could listen to network traffic and gain access to the authorization credentials used to make the invitation requests."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-300: Man-in-the-Middle"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pivotal.io/security/cve-2019-3793",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2019-3793"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2019-3793",
"datePublished": "2019-04-24T15:21:10.482554Z",
"dateReserved": "2019-01-03T00:00:00",
"dateUpdated": "2024-09-17T02:42:24.279Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11276
Vulnerability from cvelistv5
Published
2019-08-19 14:49
Modified
2024-09-16 16:13
Severity ?
EPSS score ?
Summary
Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.16, 2.4.x prior to 2.4.12, 2.5.x prior to 2.5.8, and 2.6.x prior to 2.6.3, makes a request to the /cloudapplication endpoint via Spring actuator, and subsequent requests via unsecured http. An adjacent unauthenticated user could eavesdrop on the network traffic and gain access to the unencrypted token allowing the attacker to read the type of access a user has over an app. They may also modify the logging level, potentially leading to lost information that would otherwise have been logged.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pivotal.io/security/cve-2019-11276 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Pivotal | Pivotal Application Service (PAS) |
Version: 2.3 < 2.3.16 Version: 2.4 < 2.4.12 Version: 2.5 < 2.5.8 Version: 2.6 < 2.6.3 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:48:09.149Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2019-11276"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pivotal Application Service (PAS)",
"vendor": "Pivotal",
"versions": [
{
"lessThan": "2.3.16",
"status": "affected",
"version": "2.3",
"versionType": "custom"
},
{
"lessThan": "2.4.12",
"status": "affected",
"version": "2.4",
"versionType": "custom"
},
{
"lessThan": "2.5.8",
"status": "affected",
"version": "2.5",
"versionType": "custom"
},
{
"lessThan": "2.6.3",
"status": "affected",
"version": "2.6",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-08-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.16, 2.4.x prior to 2.4.12, 2.5.x prior to 2.5.8, and 2.6.x prior to 2.6.3, makes a request to the /cloudapplication endpoint via Spring actuator, and subsequent requests via unsecured http. An adjacent unauthenticated user could eavesdrop on the network traffic and gain access to the unencrypted token allowing the attacker to read the type of access a user has over an app. They may also modify the logging level, potentially leading to lost information that would otherwise have been logged."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319: Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-19T14:49:27",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2019-11276"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apps Manager sends tokens to Spring apps via HTTP",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2019-08-16T19:23:14.737Z",
"ID": "CVE-2019-11276",
"STATE": "PUBLIC",
"TITLE": "Apps Manager sends tokens to Spring apps via HTTP"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pivotal Application Service (PAS)",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "2.3",
"version_value": "2.3.16"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "2.4",
"version_value": "2.4.12"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "2.5",
"version_value": "2.5.8"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "2.6",
"version_value": "2.6.3"
}
]
}
}
]
},
"vendor_name": "Pivotal"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.16, 2.4.x prior to 2.4.12, 2.5.x prior to 2.5.8, and 2.6.x prior to 2.6.3, makes a request to the /cloudapplication endpoint via Spring actuator, and subsequent requests via unsecured http. An adjacent unauthenticated user could eavesdrop on the network traffic and gain access to the unencrypted token allowing the attacker to read the type of access a user has over an app. They may also modify the logging level, potentially leading to lost information that would otherwise have been logged."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-319: Cleartext Transmission of Sensitive Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pivotal.io/security/cve-2019-11276",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2019-11276"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2019-11276",
"datePublished": "2019-08-19T14:49:27.910651Z",
"dateReserved": "2019-04-18T00:00:00",
"dateUpdated": "2024-09-16T16:13:54.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11270
Vulnerability from cvelistv5
Published
2019-08-05 16:21
Modified
2024-09-17 04:19
Severity ?
EPSS score ?
Summary
Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' and create clients with arbitrary scopes that the creator does not possess.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.cloudfoundry.org/blog/cve-2019-11270 | x_refsource_CONFIRM | |
| https://pivotal.io/security/cve-2019-11270 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Cloud Foundry | UAA Release (OSS) |
Version: prior to v73.4.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:48:09.048Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.cloudfoundry.org/blog/cve-2019-11270"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2019-11270"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "UAA Release (OSS)",
"vendor": "Cloud Foundry",
"versions": [
{
"status": "affected",
"version": "prior to v73.4.0"
}
]
}
],
"datePublic": "2019-08-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the \u0027clients.write\u0027 authority or scope can bypass the restrictions imposed on clients created via \u0027clients.write\u0027 and create clients with arbitrary scopes that the creator does not possess."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-20T18:50:49",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.cloudfoundry.org/blog/cve-2019-11270"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2019-11270"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "UAA clients.write vulnerability",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2019-08-01T00:00:00.000Z",
"ID": "CVE-2019-11270",
"STATE": "PUBLIC",
"TITLE": "UAA clients.write vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "UAA Release (OSS)",
"version": {
"version_data": [
{
"version_value": "prior to v73.4.0"
}
]
}
}
]
},
"vendor_name": "Cloud Foundry"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the \u0027clients.write\u0027 authority or scope can bypass the restrictions imposed on clients created via \u0027clients.write\u0027 and create clients with arbitrary scopes that the creator does not possess."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-269: Improper Privilege Management"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cloudfoundry.org/blog/cve-2019-11270",
"refsource": "CONFIRM",
"url": "https://www.cloudfoundry.org/blog/cve-2019-11270"
},
{
"name": "https://pivotal.io/security/cve-2019-11270",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2019-11270"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2019-11270",
"datePublished": "2019-08-05T16:21:54.798114Z",
"dateReserved": "2019-04-18T00:00:00",
"dateUpdated": "2024-09-17T04:19:01.006Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-3777
Vulnerability from cvelistv5
Published
2019-03-07 19:00
Modified
2024-09-16 21:56
Severity ?
EPSS score ?
Summary
Pivotal Application Service (PAS), versions 2.2.x prior to 2.2.12, 2.3.x prior to 2.3.7 and 2.4.x prior to 2.4.3, contain apps manager that uses a cloud controller proxy that fails to verify SSL certs. A remote unauthenticated attacker that could hijack the Cloud Controller's DNS record could intercept access tokens sent to the Cloud Controller, giving the attacker access to the user's resources in the Cloud Controller
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/107214 | vdb-entry, x_refsource_BID | |
| https://pivotal.io/security/cve-2019-3777 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Pivotal | Apps Manager |
Version: 666 < 666.0.19 Version: 665 < 665.0.26 Version: 667 < 667.0.5 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:19:18.134Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "107214",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/107214"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2019-3777"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apps Manager",
"vendor": "Pivotal",
"versions": [
{
"lessThan": "666.0.19",
"status": "affected",
"version": "666",
"versionType": "custom"
},
{
"lessThan": "665.0.26",
"status": "affected",
"version": "665",
"versionType": "custom"
},
{
"lessThan": "667.0.5",
"status": "affected",
"version": "667",
"versionType": "custom"
}
]
},
{
"product": "Pivotal Application Service",
"vendor": "Pivotal",
"versions": [
{
"lessThan": "2.4.3",
"status": "affected",
"version": "2.4",
"versionType": "custom"
},
{
"lessThan": "2.3.7",
"status": "affected",
"version": "2.3",
"versionType": "custom"
},
{
"lessThan": "2.2.12",
"status": "affected",
"version": "2.2",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-02-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Pivotal Application Service (PAS), versions 2.2.x prior to 2.2.12, 2.3.x prior to 2.3.7 and 2.4.x prior to 2.4.3, contain apps manager that uses a cloud controller proxy that fails to verify SSL certs. A remote unauthenticated attacker that could hijack the Cloud Controller\u0027s DNS record could intercept access tokens sent to the Cloud Controller, giving the attacker access to the user\u0027s resources in the Cloud Controller"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-03-08T10:57:01",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"name": "107214",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/107214"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2019-3777"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apps Manager unverified SSL certs in Cloud Controller proxy",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security_alert@emc.com",
"DATE_PUBLIC": "2019-02-26T23:47:49.000Z",
"ID": "CVE-2019-3777",
"STATE": "PUBLIC",
"TITLE": "Apps Manager unverified SSL certs in Cloud Controller proxy"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apps Manager",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "666",
"version_value": "666.0.19"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "665",
"version_value": "665.0.26"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "667",
"version_value": "667.0.5"
}
]
}
},
{
"product_name": "Pivotal Application Service",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "2.4",
"version_value": "2.4.3"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "2.3",
"version_value": "2.3.7"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "2.2",
"version_value": "2.2.12"
}
]
}
}
]
},
"vendor_name": "Pivotal"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pivotal Application Service (PAS), versions 2.2.x prior to 2.2.12, 2.3.x prior to 2.3.7 and 2.4.x prior to 2.4.3, contain apps manager that uses a cloud controller proxy that fails to verify SSL certs. A remote unauthenticated attacker that could hijack the Cloud Controller\u0027s DNS record could intercept access tokens sent to the Cloud Controller, giving the attacker access to the user\u0027s resources in the Cloud Controller"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-295: Improper Certificate Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "107214",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/107214"
},
{
"name": "https://pivotal.io/security/cve-2019-3777",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2019-3777"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2019-3777",
"datePublished": "2019-03-07T19:00:00Z",
"dateReserved": "2019-01-03T00:00:00",
"dateUpdated": "2024-09-16T21:56:55.392Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}