CVE-2019-11276

MEDIUM

Pivotal Software Application Service < 2.3.16 - Cleartext Transmission

Title source: rule

Description

Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.16, 2.4.x prior to 2.4.12, 2.5.x prior to 2.5.8, and 2.6.x prior to 2.6.3, makes a request to the /cloudapplication endpoint via Spring actuator, and subsequent requests via unsecured http. An adjacent unauthenticated user could eavesdrop on the network traffic and gain access to the unencrypted token allowing the attacker to read the type of access a user has over an app. They may also modify the logging level, potentially leading to lost information that would otherwise have been logged.

References (1)

[Vendor Advisory] https://pivotal.io/security/cve-2019-11276

Scores

CVSS v3 5.4

EPSS 0.0005

EPSS Percentile 13.8%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Classification

CWE

CWE-319

Status published

Affected Products (1)

pivotal_software/application_service < 2.3.16

Timeline

Published Aug 19, 2019

Tracked Since Feb 18, 2026