Vulnerability Description
Pivotal Application Service (PAS), versions 2.2.x prior to 2.2.12, 2.3.x prior to 2.3.7 and 2.4.x prior to 2.4.3, contain apps manager that uses a cloud controller proxy that fails to verify SSL certs. A remote unauthenticated attacker that could hijack the Cloud Controller's DNS record could intercept access tokens sent to the Cloud Controller, giving the attacker access to the user's resources in the Cloud Controller
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pivotal Software | Application Service | >= 2.2.0, < 2.2.12 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/107214Third Party AdvisoryVDB Entry
- https://pivotal.io/security/cve-2019-3777Vendor Advisory
- http://www.securityfocus.com/bid/107214Third Party AdvisoryVDB Entry
- https://pivotal.io/security/cve-2019-3777Vendor Advisory
FAQ
What is CVE-2019-3777?
CVE-2019-3777 is a vulnerability with a CVSS score of 8.0 (HIGH). Pivotal Application Service (PAS), versions 2.2.x prior to 2.2.12, 2.3.x prior to 2.3.7 and 2.4.x prior to 2.4.3, contain apps manager that uses a cloud controller proxy that fails to verify SSL certs...
How severe is CVE-2019-3777?
CVE-2019-3777 has been rated HIGH with a CVSS base score of 8.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-3777?
Check the references section above for vendor advisories and patch information. Affected products include: Pivotal Software Application Service.