Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for Pivotal Application Service (PAS) by Pivotal

    CVE-2019-11280 (GCVE-0-2019-11280)

    Vulnerability from nvd – Published: 2019-09-20 18:35 – Updated: 2024-09-16 19:20
    VLAI
    Title
    Privilege escalation through the invitations service
    Summary
    Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.18, 2.4.x prior to 2.4.14, 2.5.x prior to 2.5.10, and 2.6.x prior to 2.6.5, contains an invitations microservice which allows users to invite others to their organizations. A remote authenticated user can gain additional privileges by inviting themselves to spaces that they should not have access to.
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    References
    URL Tags
    https://pivotal.io/security/cve-2019-11280 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Pivotal Application Service (PAS) Affected: 2.3.x prior to 2.3.18
    Affected: 2.4.x prior to 2.4.14
    Affected: 2.5.x prior to 2.5.10
    Affected: 2.6.x prior to 2.6.5
    Create a notification for this product.
    Date Public
    2019-09-20 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T22:48:09.088Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2019-11280"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pivotal Application Service (PAS)",
              "vendor": "Pivotal",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.3.x prior to 2.3.18"
                },
                {
                  "status": "affected",
                  "version": "2.4.x prior to 2.4.14"
                },
                {
                  "status": "affected",
                  "version": "2.5.x prior to 2.5.10"
                },
                {
                  "status": "affected",
                  "version": "2.6.x prior to 2.6.5"
                }
              ]
            }
          ],
          "datePublic": "2019-09-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.18, 2.4.x prior to 2.4.14, 2.5.x prior to 2.5.10, and 2.6.x prior to 2.6.5, contains an invitations microservice which allows users to invite others to their organizations. A remote authenticated user can gain additional privileges by inviting themselves to spaces that they should not have access to."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269: Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-09-20T18:35:17.000Z",
            "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
            "shortName": "pivotal"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2019-11280"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Privilege escalation through the invitations service",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@pivotal.io",
              "DATE_PUBLIC": "2019-09-20T01:05:51.000Z",
              "ID": "CVE-2019-11280",
              "STATE": "PUBLIC",
              "TITLE": "Privilege escalation through the invitations service"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pivotal Application Service (PAS)",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "2.3.x prior to 2.3.18"
                              },
                              {
                                "version_value": "2.4.x prior to 2.4.14"
                              },
                              {
                                "version_value": "2.5.x prior to 2.5.10"
                              },
                              {
                                "version_value": "2.6.x prior to 2.6.5"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.18, 2.4.x prior to 2.4.14, 2.5.x prior to 2.5.10, and 2.6.x prior to 2.6.5, contains an invitations microservice which allows users to invite others to their organizations. A remote authenticated user can gain additional privileges by inviting themselves to spaces that they should not have access to."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-269: Improper Privilege Management"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://pivotal.io/security/cve-2019-11280",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2019-11280"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
        "assignerShortName": "pivotal",
        "cveId": "CVE-2019-11280",
        "datePublished": "2019-09-20T18:35:17.756Z",
        "dateReserved": "2019-04-18T00:00:00.000Z",
        "dateUpdated": "2024-09-16T19:20:44.714Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-11276 (GCVE-0-2019-11276)

    Vulnerability from nvd – Published: 2019-08-19 14:49 – Updated: 2024-09-16 16:13
    VLAI
    Title
    Apps Manager sends tokens to Spring apps via HTTP
    Summary
    Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.16, 2.4.x prior to 2.4.12, 2.5.x prior to 2.5.8, and 2.6.x prior to 2.6.3, makes a request to the /cloudapplication endpoint via Spring actuator, and subsequent requests via unsecured http. An adjacent unauthenticated user could eavesdrop on the network traffic and gain access to the unencrypted token allowing the attacker to read the type of access a user has over an app. They may also modify the logging level, potentially leading to lost information that would otherwise have been logged.
    CWE
    • CWE-319 - Cleartext Transmission of Sensitive Information
    Assigner
    References
    URL Tags
    https://pivotal.io/security/cve-2019-11276 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Pivotal Application Service (PAS) Affected: 2.3 , < 2.3.16 (custom)
    Affected: 2.4 , < 2.4.12 (custom)
    Affected: 2.5 , < 2.5.8 (custom)
    Affected: 2.6 , < 2.6.3 (custom)
    Create a notification for this product.
    Date Public
    2019-08-16 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T22:48:09.149Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2019-11276"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pivotal Application Service (PAS)",
              "vendor": "Pivotal",
              "versions": [
                {
                  "lessThan": "2.3.16",
                  "status": "affected",
                  "version": "2.3",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.4.12",
                  "status": "affected",
                  "version": "2.4",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.5.8",
                  "status": "affected",
                  "version": "2.5",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.6.3",
                  "status": "affected",
                  "version": "2.6",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2019-08-16T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.16, 2.4.x prior to 2.4.12, 2.5.x prior to 2.5.8, and 2.6.x prior to 2.6.3, makes a request to the /cloudapplication endpoint via Spring actuator, and subsequent requests via unsecured http. An adjacent unauthenticated user could eavesdrop on the network traffic and gain access to the unencrypted token allowing the attacker to read the type of access a user has over an app. They may also modify the logging level, potentially leading to lost information that would otherwise have been logged."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-319",
                  "description": "CWE-319: Cleartext Transmission of Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-08-19T14:49:27.000Z",
            "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
            "shortName": "pivotal"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2019-11276"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apps Manager sends tokens to Spring apps via HTTP",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@pivotal.io",
              "DATE_PUBLIC": "2019-08-16T19:23:14.737Z",
              "ID": "CVE-2019-11276",
              "STATE": "PUBLIC",
              "TITLE": "Apps Manager sends tokens to Spring apps via HTTP"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pivotal Application Service (PAS)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.3",
                                "version_value": "2.3.16"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.4",
                                "version_value": "2.4.12"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.5",
                                "version_value": "2.5.8"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.6",
                                "version_value": "2.6.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.16, 2.4.x prior to 2.4.12, 2.5.x prior to 2.5.8, and 2.6.x prior to 2.6.3, makes a request to the /cloudapplication endpoint via Spring actuator, and subsequent requests via unsecured http. An adjacent unauthenticated user could eavesdrop on the network traffic and gain access to the unencrypted token allowing the attacker to read the type of access a user has over an app. They may also modify the logging level, potentially leading to lost information that would otherwise have been logged."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-319: Cleartext Transmission of Sensitive Information"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://pivotal.io/security/cve-2019-11276",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2019-11276"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
        "assignerShortName": "pivotal",
        "cveId": "CVE-2019-11276",
        "datePublished": "2019-08-19T14:49:27.910Z",
        "dateReserved": "2019-04-18T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:13:54.745Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-11280 (GCVE-0-2019-11280)

    Vulnerability from cvelistv5 – Published: 2019-09-20 18:35 – Updated: 2024-09-16 19:20
    VLAI
    Title
    Privilege escalation through the invitations service
    Summary
    Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.18, 2.4.x prior to 2.4.14, 2.5.x prior to 2.5.10, and 2.6.x prior to 2.6.5, contains an invitations microservice which allows users to invite others to their organizations. A remote authenticated user can gain additional privileges by inviting themselves to spaces that they should not have access to.
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    References
    URL Tags
    https://pivotal.io/security/cve-2019-11280 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Pivotal Application Service (PAS) Affected: 2.3.x prior to 2.3.18
    Affected: 2.4.x prior to 2.4.14
    Affected: 2.5.x prior to 2.5.10
    Affected: 2.6.x prior to 2.6.5
    Create a notification for this product.
    Date Public
    2019-09-20 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T22:48:09.088Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2019-11280"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pivotal Application Service (PAS)",
              "vendor": "Pivotal",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.3.x prior to 2.3.18"
                },
                {
                  "status": "affected",
                  "version": "2.4.x prior to 2.4.14"
                },
                {
                  "status": "affected",
                  "version": "2.5.x prior to 2.5.10"
                },
                {
                  "status": "affected",
                  "version": "2.6.x prior to 2.6.5"
                }
              ]
            }
          ],
          "datePublic": "2019-09-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.18, 2.4.x prior to 2.4.14, 2.5.x prior to 2.5.10, and 2.6.x prior to 2.6.5, contains an invitations microservice which allows users to invite others to their organizations. A remote authenticated user can gain additional privileges by inviting themselves to spaces that they should not have access to."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269: Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-09-20T18:35:17.000Z",
            "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
            "shortName": "pivotal"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2019-11280"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Privilege escalation through the invitations service",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@pivotal.io",
              "DATE_PUBLIC": "2019-09-20T01:05:51.000Z",
              "ID": "CVE-2019-11280",
              "STATE": "PUBLIC",
              "TITLE": "Privilege escalation through the invitations service"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pivotal Application Service (PAS)",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "2.3.x prior to 2.3.18"
                              },
                              {
                                "version_value": "2.4.x prior to 2.4.14"
                              },
                              {
                                "version_value": "2.5.x prior to 2.5.10"
                              },
                              {
                                "version_value": "2.6.x prior to 2.6.5"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.18, 2.4.x prior to 2.4.14, 2.5.x prior to 2.5.10, and 2.6.x prior to 2.6.5, contains an invitations microservice which allows users to invite others to their organizations. A remote authenticated user can gain additional privileges by inviting themselves to spaces that they should not have access to."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-269: Improper Privilege Management"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://pivotal.io/security/cve-2019-11280",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2019-11280"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
        "assignerShortName": "pivotal",
        "cveId": "CVE-2019-11280",
        "datePublished": "2019-09-20T18:35:17.756Z",
        "dateReserved": "2019-04-18T00:00:00.000Z",
        "dateUpdated": "2024-09-16T19:20:44.714Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-11276 (GCVE-0-2019-11276)

    Vulnerability from cvelistv5 – Published: 2019-08-19 14:49 – Updated: 2024-09-16 16:13
    VLAI
    Title
    Apps Manager sends tokens to Spring apps via HTTP
    Summary
    Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.16, 2.4.x prior to 2.4.12, 2.5.x prior to 2.5.8, and 2.6.x prior to 2.6.3, makes a request to the /cloudapplication endpoint via Spring actuator, and subsequent requests via unsecured http. An adjacent unauthenticated user could eavesdrop on the network traffic and gain access to the unencrypted token allowing the attacker to read the type of access a user has over an app. They may also modify the logging level, potentially leading to lost information that would otherwise have been logged.
    CWE
    • CWE-319 - Cleartext Transmission of Sensitive Information
    Assigner
    References
    URL Tags
    https://pivotal.io/security/cve-2019-11276 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Pivotal Application Service (PAS) Affected: 2.3 , < 2.3.16 (custom)
    Affected: 2.4 , < 2.4.12 (custom)
    Affected: 2.5 , < 2.5.8 (custom)
    Affected: 2.6 , < 2.6.3 (custom)
    Create a notification for this product.
    Date Public
    2019-08-16 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T22:48:09.149Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2019-11276"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pivotal Application Service (PAS)",
              "vendor": "Pivotal",
              "versions": [
                {
                  "lessThan": "2.3.16",
                  "status": "affected",
                  "version": "2.3",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.4.12",
                  "status": "affected",
                  "version": "2.4",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.5.8",
                  "status": "affected",
                  "version": "2.5",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.6.3",
                  "status": "affected",
                  "version": "2.6",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2019-08-16T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.16, 2.4.x prior to 2.4.12, 2.5.x prior to 2.5.8, and 2.6.x prior to 2.6.3, makes a request to the /cloudapplication endpoint via Spring actuator, and subsequent requests via unsecured http. An adjacent unauthenticated user could eavesdrop on the network traffic and gain access to the unencrypted token allowing the attacker to read the type of access a user has over an app. They may also modify the logging level, potentially leading to lost information that would otherwise have been logged."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-319",
                  "description": "CWE-319: Cleartext Transmission of Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-08-19T14:49:27.000Z",
            "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
            "shortName": "pivotal"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2019-11276"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apps Manager sends tokens to Spring apps via HTTP",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@pivotal.io",
              "DATE_PUBLIC": "2019-08-16T19:23:14.737Z",
              "ID": "CVE-2019-11276",
              "STATE": "PUBLIC",
              "TITLE": "Apps Manager sends tokens to Spring apps via HTTP"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pivotal Application Service (PAS)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.3",
                                "version_value": "2.3.16"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.4",
                                "version_value": "2.4.12"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.5",
                                "version_value": "2.5.8"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.6",
                                "version_value": "2.6.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.16, 2.4.x prior to 2.4.12, 2.5.x prior to 2.5.8, and 2.6.x prior to 2.6.3, makes a request to the /cloudapplication endpoint via Spring actuator, and subsequent requests via unsecured http. An adjacent unauthenticated user could eavesdrop on the network traffic and gain access to the unencrypted token allowing the attacker to read the type of access a user has over an app. They may also modify the logging level, potentially leading to lost information that would otherwise have been logged."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-319: Cleartext Transmission of Sensitive Information"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://pivotal.io/security/cve-2019-11276",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2019-11276"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
        "assignerShortName": "pivotal",
        "cveId": "CVE-2019-11276",
        "datePublished": "2019-08-19T14:49:27.910Z",
        "dateReserved": "2019-04-18T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:13:54.745Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }