CVE-2019-3790

Summary

The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources.

Affected Software

VendorProductVersion RangeStatus
PivotalPivotal Ops Manager2.3 < 2.3.16affected
PivotalPivotal Ops Manager2.4 < 2.4.11affected
PivotalPivotal Ops Manager2.2 < 2.2.23affected
PivotalPivotal Ops Manager2.5 < 2.5.3affected

Weaknesses

  • CWE-324: CWE-324: Use of a Key Past its Expiration Date

ADP Enrichment

CVE Program Container

Additional References

References