CVE-2019-3777

Pivotal Application Service (PAS), versions 2.2.x prior to 2.2.12, 2.3.x prior to 2.3.7 and 2.4.x prior to 2.4.3, contain apps manager that uses a cloud controller proxy that fails to verify SSL certs. A remote unauthenticated attacker that could hijack the Cloud Controller's DNS record could intercept access tokens sent to the Cloud Controller, giving the attacker access to the user's resources in the Cloud Controller

Published: Mar 7, 2019
Updated: Apr 13, 2023
CVE: CVE-2019-3777
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-295

OWASP TOP 10:

A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
pivotal_software / application_service	2.2.0	2.2.12
pivotal_software / application_service	2.3.0	2.3.7
pivotal_software / application_service	2.4.0	2.4.3

http://www.securityfocus.com/bid/107214
https://pivotal.io/security/cve-2019-3777

Vulnerability Database

289,599

CVE-2019-3777