CVE-2019-3793
24.04.2019, 16:29
Pivotal Apps Manager Release, versions 665.0.x prior to 665.0.28, versions 666.0.x prior to 666.0.21, versions 667.0.x prior to 667.0.7, contain an invitation service that accepts HTTP. A remote unauthenticated user could listen to network traffic and gain access to the authorization credentials used to make the invitation requests.Enginsight
| Vendor | Product | Version |
|---|---|---|
| pivotal_software | application_service | 665.0.0 ≤ 𝑥 < 665.0.28 |
| pivotal_software | application_service | 666.0.0 ≤ 𝑥 < 666.0.21 |
| pivotal_software | application_service | 667.0.0 ≤ 𝑥 < 667.0.7 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-300 - Channel Accessible by Non-EndpointThe product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.
- CWE-319 - Cleartext Transmission of Sensitive InformationThe software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.