CVE-2019-3777Improper Certificate Validation in Apps Manager

CWE-295Improper Certificate Validation3 documents3 sources
Severity
9.8CRITICALNVD
CNA8.0
EPSS
0.6%
top 30.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Pivotal Apps ManagerPivotal Application ServicePivotal Software Application Service
Timeline
PublishedMar 7
Latest updateMay 13

Description

Pivotal Application Service (PAS), versions 2.2.x prior to 2.2.12, 2.3.x prior to 2.3.7 and 2.4.x prior to 2.4.3, contain apps manager that uses a cloud controller proxy that fails to verify SSL certs. A remote unauthenticated attacker that could hijack the Cloud Controller's DNS record could intercept access tokens sent to the Cloud Controller, giving the attacker access to the user's resources in the Cloud Controller

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

CVEListV5pivotal/apps_manager666666.0.19+2
CVEListV5pivotal/pivotal_application_service2.42.4.3+2
NVDpivotal_software/application_service2.2.02.2.12+2

🔴Vulnerability Details

2
GHSA
GHSA-g3g6-cq9j-rcv6: Pivotal Application Service (PAS), versions 22022-05-13
CVEList
Apps Manager unverified SSL certs in Cloud Controller proxy2019-03-07
CVE-2019-3777 — Improper Certificate Validation | cvebase