CWE
295
Advisory Published
CVE Published
CVE Published
Updated

CVE-2019-3777: Apps Manager unverified SSL certs in Cloud Controller proxy

First published: Tue Feb 26 2019(Updated: )

Pivotal Application Service (PAS), versions 2.2.x prior to 2.2.12, 2.3.x prior to 2.3.7 and 2.4.x prior to 2.4.3, contain apps manager that uses a cloud controller proxy that fails to verify SSL certs. A remote unauthenticated attacker that could hijack the Cloud Controller's DNS record could intercept access tokens sent to the Cloud Controller, giving the attacker access to the user's resources in the Cloud Controller

Credit: security_alert@emc.com

Affected SoftwareAffected VersionHow to fix
Pivotal Software Application Service>=2.2.0<2.2.12
Pivotal Software Application Service>=2.3.0<2.3.7
Pivotal Software Application Service>=2.4.0<2.4.3

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is CVE-2019-3777?

    CVE-2019-3777 is a vulnerability in Pivotal Application Service (PAS) versions 2.2.x prior to 2.2.12, 2.3.x prior to 2.3.7, and 2.4.x prior to 2.4.3.

  • What is the severity of CVE-2019-3777?

    CVE-2019-3777 has a severity rating of 9.8 (critical).

  • How does CVE-2019-3777 affect Pivotal Application Service?

    CVE-2019-3777 affects Pivotal Application Service by allowing a remote unauthenticated attacker to hijack the Cloud Controller's DNS record and intercept communication.

  • Which versions of Pivotal Application Service are affected by CVE-2019-3777?

    CVE-2019-3777 affects versions 2.2.x prior to 2.2.12, 2.3.x prior to 2.3.7, and 2.4.x prior to 2.4.3 of Pivotal Application Service.

  • How can I fix CVE-2019-3777?

    To fix CVE-2019-3777, upgrade to Pivotal Application Service versions 2.2.12, 2.3.7, or 2.4.3.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203