CVE-2019-3790 MEDIUM

CVE-2019-3790: Ops Manager uaa client issues tokens after refresh token expiration

Vendor Pivotal
Product Pivotal Ops Manager
Weakness CWE-324
Published June 6, 2019
Last update September 16, 2024

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources.

Key dates

02Disclosure timeline

June 6, 2019 CVE published
September 16, 2024 Record updated