CVE-2019-3790

Ops Manager uaa client issues tokens after refresh token expiration

CVSS 6.1 MEDIUMEPSS 0.7%CWE-324

The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources.

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

Affected products

Pivotal · Pivotal Ops Manager

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://pivotal.io/security/cve-2019-3790 http://www.securityfocus.com/bid/108512