CVE-2019-3803

Concourse includes token in CLI authentication callback

CVSS 4.5 MEDIUMEPSS 0.6%CWE-200

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 4.5EPSS 0.6%KEV nãoPoC —Patch —

Lifecycle

Jan 12, 2019Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Pivotal Concourse, all versions prior to 4.2.2, puts the user access token in a url during the login flow. A remote attacker who gains access to a user's browser history could obtain the access token and use it to authenticate as the user.

CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

Affected products

Pivotal · Concourse

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://pivotal.io/security/cve-2019-3803