Unrated severityNVD Advisory· Published Aug 19, 2019· Updated Sep 16, 2024

Apps Manager sends tokens to Spring apps via HTTP

CVE-2019-11276

Description

Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.16, 2.4.x prior to 2.4.12, 2.5.x prior to 2.5.8, and 2.6.x prior to 2.6.3, makes a request to the /cloudapplication endpoint via Spring actuator, and subsequent requests via unsecured http. An adjacent unauthenticated user could eavesdrop on the network traffic and gain access to the unencrypted token allowing the attacker to read the type of access a user has over an app. They may also modify the logging level, potentially leading to lost information that would otherwise have been logged.

Affected products

Pivot/Ops Managerllm-fuzzy
Range: >=2.3.0, <2.3.16 || >=2.4.0, <2.4.12 || >=2.5.0, <2.5.8 || >=2.6.0, <2.6.3 ||
Pivotal/Pivotal Application Service (PAS)v5
Range: 2.3

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

pivotal.io/security/cve-2019-11276mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000