CVE-2016-0883 — Improper Authentication in Software Operations Manager

CWE-287 — Improper Authentication3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

0.2%

top 63.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pivotal Software Operations Manager

Timeline

PublishedSep 18

Latest updateMay 17

Description

Pivotal Cloud Foundry (PCF) Ops Manager before 1.5.14 and 1.6.x before 1.6.9 uses the same cookie-encryption key across different customers' installations, which allows remote attackers to bypass session authentication by leveraging knowledge of this key from another installation.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDpivotal_software/operations_manager1.5.13+9

🔴Vulnerability Details

GHSA

GHSA-62qc-rw6h-372c: Pivotal Cloud Foundry (PCF) Ops Manager before 1↗2022-05-17

▶

CVEList

CVE-2016-0883: Pivotal Cloud Foundry (PCF) Ops Manager before 1↗2016-09-18

▶