Concourse includes token in CLI authentication callback
CVE-2019-3803

4.5MEDIUM

Key Information:

Vendor

Pivotal

Status
Vendor
CVE Published:
12 January 2019

What is CVE-2019-3803?

Pivotal Concourse, all versions prior to 4.2.2, puts the user access token in a url during the login flow. A remote attacker who gains access to a user's browser history could obtain the access token and use it to authenticate as the user.

Affected Version(s)

Concourse all versions < 4.2.2

References

CVSS V3.1

Score:
4.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

CVSS V3.0

Score:
4.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.