CVE-2019-3790 is a vulnerability in Pivotal Software Operations Manager
Published on June 6, 2019
Ops Manager uaa client issues tokens after refresh token expiration
The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources.
Weakness Type
Use of a Key Past its Expiration Date
The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key. While the expiration of keys does not necessarily ensure that they are compromised, it is a significant concern that keys which remain in use for prolonged periods of time have a decreasing probability of integrity. For this reason, it is important to replace keys within a period of time proportional to their strength.
Products Associated with CVE-2019-3790
Want to know whenever a new CVE is published for Pivotal Software Operations Manager? stack.watch will email you.
Affected Versions
Pivotal Ops Manager:- Version 2.3 and below 2.3.16 is affected.
- Version 2.4 and below 2.4.11 is affected.
- Version 2.2 and below 2.2.23 is affected.
- Version 2.5 and below 2.5.3 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.