CVE-2019-3777 HIGH

CVE-2019-3777: Apps Manager unverified SSL certs in Cloud Controller proxy

Vendor Pivotal
Product Apps Manager
Weakness CWE-295
Published March 7, 2019
Last update September 16, 2024

CVSS base score

8.0/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

Pivotal Application Service (PAS), versions 2.2.x prior to 2.2.12, 2.3.x prior to 2.3.7 and 2.4.x prior to 2.4.3, contain apps manager that uses a cloud controller proxy that fails to verify SSL certs. A remote unauthenticated attacker that could hijack the Cloud Controller's DNS record could intercept access tokens sent to the Cloud Controller, giving the attacker access to the user's resources in the Cloud Controller

Key dates

02Disclosure timeline

March 7, 2019 CVE published
September 16, 2024 Record updated