CVE-2019-3777

Summary

Pivotal Application Service (PAS), versions 2.2.x prior to 2.2.12, 2.3.x prior to 2.3.7 and 2.4.x prior to 2.4.3, contain apps manager that uses a cloud controller proxy that fails to verify SSL certs. A remote unauthenticated attacker that could hijack the Cloud Controller's DNS record could intercept access tokens sent to the Cloud Controller, giving the attacker access to the user's resources in the Cloud Controller

Affected Software

VendorProductVersion RangeStatus
PivotalApps Manager666 < 666.0.19affected
PivotalApps Manager665 < 665.0.26affected
PivotalApps Manager667 < 667.0.5affected
PivotalPivotal Application Service2.4 < 2.4.3affected
PivotalPivotal Application Service2.3 < 2.3.7affected
PivotalPivotal Application Service2.2 < 2.2.12affected

Weaknesses

  • CWE-295: CWE-295: Improper Certificate Validation

ADP Enrichment

CVE Program Container

Additional References

References