CVE-2019-3790
06.06.2019, 19:29
The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources.Enginsight
| Vendor | Product | Version |
|---|---|---|
| pivotal_software | operations_manager | 2.2.0 ≤ 𝑥 < 2.2.23 |
| pivotal_software | operations_manager | 2.3.0 ≤ 𝑥 < 2.3.16 |
| pivotal_software | operations_manager | 2.4.0 ≤ 𝑥 < 2.4.11 |
| pivotal_software | operations_manager | 2.5.0 ≤ 𝑥 < 2.5.3 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-324 - Use of a Key Past its Expiration DateThe product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.
- CWE-613 - Insufficient Session ExpirationAccording to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."