CVE-2019-3790
MEDIUMPivotal Ops Manager Authenticated Session Fixation via Refresh Token Bypass
Title source: llmDescription
The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources.
References (2)
Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/108512
Vendor Advisory x_refsource_confirm
https://pivotal.io/security/cve-2019-3790
Scores
CVSS v3
6.1
EPSS
0.0066
EPSS Percentile
46.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
Details
CWE
CWE-613
CWE-324
Status
published
Products (1)
pivotal_software/operations_manager
2.2.0 - 2.2.23
Published
Jun 06, 2019
Tracked Since
Feb 18, 2026