CVE-2019-3790Use of a Key Past its Expiration Date in OPS Manager

CWE-324Use of a Key Past its Expiration DateCWE-613Insufficient Session Expiration3 documents3 sources
Severity
5.4MEDIUMNVD
CNA6.1
EPSS
0.1%
top 81.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Pivotal OPS ManagerPivotal Software Operations Manager
Timeline
PublishedJun 6
Latest updateMay 24

Description

The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

CVEListV5pivotal/pivotal_ops_manager2.32.3.16+3
NVDpivotal_software/operations_manager2.2.02.2.23+3

🔴Vulnerability Details

2
GHSA
GHSA-73vj-wxr6-3pq5: The Pivotal Ops Manager, 22022-05-24
CVEList
Ops Manager uaa client issues tokens after refresh token expiration2019-06-06
CVE-2019-3790 — Use of a Key Past its Expiration Date | cvebase