Vulnerability Details : CVE-2019-3777
Pivotal Application Service (PAS), versions 2.2.x prior to 2.2.12, 2.3.x prior to 2.3.7 and 2.4.x prior to 2.4.3, contain apps manager that uses a cloud controller proxy that fails to verify SSL certs. A remote unauthenticated attacker that could hijack the Cloud Controller's DNS record could intercept access tokens sent to the Cloud Controller, giving the attacker access to the user's resources in the Cloud Controller
Products affected by CVE-2019-3777
- cpe:2.3:a:pivotal_software:application_service:*:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:application_service:*:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:application_service:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-3777
0.39%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 73 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-3777
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
8.0
|
HIGH | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N |
1.6
|
5.8
|
Dell |
CWE ids for CVE-2019-3777
-
The product does not validate, or incorrectly validates, a certificate.Assigned by:
- nvd@nist.gov (Primary)
- security_alert@emc.com (Secondary)
References for CVE-2019-3777
-
https://pivotal.io/security/cve-2019-3777
CVE-2019-3777: Apps Manager unverified SSL certs in Cloud Controller proxy | Security | PivotalVendor Advisory
-
http://www.securityfocus.com/bid/107214
Pivotal Application Service CVE-2019-3777 Security Bypass VulnerabilityThird Party Advisory;VDB Entry
Jump to