6.1
CVE-2019-3790
- EPSS 0.06%
- Published 06.06.2019 19:29:00
- Last modified 21.11.2024 04:42:32
- Source security_alert@emc.com
- Teams watchlist Login
- Open Login
The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources.
Data is provided by the National Vulnerability Database (NVD)
Pivotal Software ≫ Operations Manager Version >= 2.2.0 < 2.2.23
Pivotal Software ≫ Operations Manager Version >= 2.3.0 < 2.3.16
Pivotal Software ≫ Operations Manager Version >= 2.4.0 < 2.4.11
Pivotal Software ≫ Operations Manager Version >= 2.5.0 < 2.5.3
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.06% | 0.157 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 5.4 | 2.8 | 2.5 |
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
|
| nvd@nist.gov | 5.5 | 8 | 4.9 |
AV:N/AC:L/Au:S/C:P/I:P/A:N
|
| security_alert@emc.com | 6.1 | 0.9 | 5.2 |
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
|
CWE-324 Use of a Key Past its Expiration Date
The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.
CWE-613 Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."