CVE-2019-3803

Published: Jan 12, 2019Modified: Nov 21, 2024

7.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Pivotal Concourse, all versions prior to 4.2.2, puts the user access token in a url during the login flow. A remote attacker who gains access to a user's browser history could obtain the access token and use it to authenticate as the user.

Affected (1)

Products: Pivotal Software: Concourse

Pivotal Software

1 product

Concourse

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Pivotal Software Concourse	Before 4.2.2

Related CWEs

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (2)

https://pivotal.io/security/cve-2019-3803

Source: security_alert@emc.com

Vendor Advisory

https://pivotal.io/security/cve-2019-3803

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.