Ops Manager uaa client issues tokens after refresh token expiration
CVE-2019-3790

6.1MEDIUM

Key Information:

Vendor

Pivotal

Vendor
CVE Published:
6 June 2019

What is CVE-2019-3790?

The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources.

Affected Version(s)

Pivotal Ops Manager 2.3 < 2.3.16

Pivotal Ops Manager 2.4 < 2.4.11

Pivotal Ops Manager 2.2 < 2.2.23

References

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Unchanged

CVSS V3.0

Score:
6.1
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.