CVE-2019-3793Channel Accessible by Non-Endpoint in Apps Manager

CWE-300Channel Accessible by Non-EndpointCWE-319Cleartext Transmission of Sensitive Info3 documents3 sources
Severity
9.8CRITICALNVD
EPSS
0.3%
top 51.71%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Pivotal Apps ManagerPivotal Software Application Service
Timeline
PublishedApr 24
Latest updateMay 24

Description

Pivotal Apps Manager Release, versions 665.0.x prior to 665.0.28, versions 666.0.x prior to 666.0.21, versions 667.0.x prior to 667.0.7, contain an invitation service that accepts HTTP. A remote unauthenticated user could listen to network traffic and gain access to the authorization credentials used to make the invitation requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

CVEListV5pivotal/apps_manager666666.0.21+2
NVDpivotal_software/application_service665.0.0665.0.28+2

🔴Vulnerability Details

2
GHSA
GHSA-67rq-xjmx-ww89: Pivotal Apps Manager Release, versions 6652022-05-24
CVEList
Invitations Service supports HTTP connections2019-04-24
CVE-2019-3793 — Channel Accessible by Non-Endpoint | cvebase