Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for Pivotal Ops Manager by Pivotal

    CVE-2019-11292 (GCVE-0-2019-11292)

    Vulnerability from nvd – Published: 2020-01-08 23:55 – Updated: 2024-09-16 18:54
    VLAI
    Title
    Pivotal Ops Manager logs query parameters in tomcat access file
    Summary
    Pivotal Ops Manager, versions 2.4.x prior to 2.4.27, 2.5.x prior to 2.5.24, 2.6.x prior to 2.6.16, and 2.7.x prior to 2.7.5, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well.
    CWE
    • CWE-532 - Inclusion of Sensitive Information in Log Files
    Assigner
    References
    URL Tags
    https://pivotal.io/security/cve-2019-11292 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Pivotal Ops Manager Affected: 2.7 , < 2.7.5 (custom)
    Affected: 2.6 , < 2.6.16 (custom)
    Affected: 2.5 , < 2.5.24 (custom)
    Affected: 2.4 , < 2.4.27 (custom)
    Create a notification for this product.
    Date Public
    2020-01-08 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T22:48:09.097Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2019-11292"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pivotal Ops Manager",
              "vendor": "Pivotal",
              "versions": [
                {
                  "lessThan": "2.7.5",
                  "status": "affected",
                  "version": "2.7",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.6.16",
                  "status": "affected",
                  "version": "2.6",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.5.24",
                  "status": "affected",
                  "version": "2.5",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.4.27",
                  "status": "affected",
                  "version": "2.4",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-01-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Ops Manager, versions 2.4.x prior to 2.4.27, 2.5.x prior to 2.5.24, 2.6.x prior to 2.6.16, and 2.7.x prior to 2.7.5, logs all query parameters to tomcat\u2019s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532: Inclusion of Sensitive Information in Log Files",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-01-08T23:55:12.000Z",
            "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
            "shortName": "pivotal"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2019-11292"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Pivotal Ops Manager logs query parameters in tomcat access file",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@pivotal.io",
              "DATE_PUBLIC": "2020-01-08T22:57:26.000Z",
              "ID": "CVE-2019-11292",
              "STATE": "PUBLIC",
              "TITLE": "Pivotal Ops Manager logs query parameters in tomcat access file"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pivotal Ops Manager",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.7",
                                "version_value": "2.7.5"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.6",
                                "version_value": "2.6.16"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.5",
                                "version_value": "2.5.24"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.4",
                                "version_value": "2.4.27"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Ops Manager, versions 2.4.x prior to 2.4.27, 2.5.x prior to 2.5.24, 2.6.x prior to 2.6.16, and 2.7.x prior to 2.7.5, logs all query parameters to tomcat\u2019s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-532: Inclusion of Sensitive Information in Log Files"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://pivotal.io/security/cve-2019-11292",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2019-11292"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
        "assignerShortName": "pivotal",
        "cveId": "CVE-2019-11292",
        "datePublished": "2020-01-08T23:55:12.316Z",
        "dateReserved": "2019-04-18T00:00:00.000Z",
        "dateUpdated": "2024-09-16T18:54:10.028Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-3790 (GCVE-0-2019-3790)

    Vulnerability from nvd – Published: 2019-06-06 19:16 – Updated: 2024-09-16 22:20
    VLAI
    Title
    Ops Manager uaa client issues tokens after refresh token expiration
    Summary
    The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources.
    CWE
    • CWE-324 - Use of a Key Past its Expiration Date
    Assigner
    References
    URL Tags
    http://www.securityfocus.com/bid/108512 vdb-entryx_refsource_BID
    https://pivotal.io/security/cve-2019-3790 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Pivotal Ops Manager Affected: 2.3 , < 2.3.16 (custom)
    Affected: 2.4 , < 2.4.11 (custom)
    Affected: 2.2 , < 2.2.23 (custom)
    Affected: 2.5 , < 2.5.3 (custom)
    Create a notification for this product.
    Date Public
    2019-05-28 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T19:19:18.470Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "108512",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/108512"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2019-3790"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pivotal Ops Manager",
              "vendor": "Pivotal",
              "versions": [
                {
                  "lessThan": "2.3.16",
                  "status": "affected",
                  "version": "2.3",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.4.11",
                  "status": "affected",
                  "version": "2.4",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.2.23",
                  "status": "affected",
                  "version": "2.2",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.5.3",
                  "status": "affected",
                  "version": "2.5",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2019-05-28T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-324",
                  "description": "CWE-324: Use of a Key Past its Expiration Date",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-06-06T19:17:33.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "name": "108512",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/108512"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2019-3790"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Ops Manager uaa client issues tokens after refresh token expiration",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "DATE_PUBLIC": "2019-05-28T13:47:10.000Z",
              "ID": "CVE-2019-3790",
              "STATE": "PUBLIC",
              "TITLE": "Ops Manager uaa client issues tokens after refresh token expiration"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pivotal Ops Manager",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.3",
                                "version_value": "2.3.16"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.4",
                                "version_value": "2.4.11"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.2",
                                "version_value": "2.2.23"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.5",
                                "version_value": "2.5.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-324: Use of a Key Past its Expiration Date"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "108512",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/108512"
                },
                {
                  "name": "https://pivotal.io/security/cve-2019-3790",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2019-3790"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2019-3790",
        "datePublished": "2019-06-06T19:16:16.854Z",
        "dateReserved": "2019-01-03T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:20:48.221Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-3776 (GCVE-0-2019-3776)

    Vulnerability from nvd – Published: 2019-03-07 19:00 – Updated: 2024-09-17 00:11
    VLAI
    Title
    Reflected XSS in Pivotal Operations Manager
    Summary
    Pivotal Operations Manager, 2.1.x versions prior to 2.1.20, 2.2.x versions prior to 2.2.16, 2.3.x versions prior to 2.3.10, 2.4.x versions prior to 2.4.3, contains a reflected cross site scripting vulnerability. A remote user that is able to convince an Operations Manager user to interact with malicious content could execute arbitrary JavaScript in the user's browser.
    CWE
    • CWE-79 - Cross-site Scripting (XSS) - Reflected
    Assigner
    References
    URL Tags
    http://www.securityfocus.com/bid/107344 vdb-entryx_refsource_BID
    https://pivotal.io/security/cve-2019-3776 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Pivotal Ops Manager Affected: 2.2 , < 2.2.16 (custom)
    Affected: 2.3 , < 2.3.10 (custom)
    Affected: 2.4 , < 2.4.3 (custom)
    Affected: 2.1 , < 2.1.19 (custom)
    Create a notification for this product.
    Date Public
    2019-02-20 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T19:19:18.239Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "107344",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/107344"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2019-3776"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pivotal Ops Manager",
              "vendor": "Pivotal",
              "versions": [
                {
                  "lessThan": "2.2.16",
                  "status": "affected",
                  "version": "2.2",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.3.10",
                  "status": "affected",
                  "version": "2.3",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.4.3",
                  "status": "affected",
                  "version": "2.4",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.1.19",
                  "status": "affected",
                  "version": "2.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2019-02-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Operations Manager, 2.1.x versions prior to 2.1.20, 2.2.x versions prior to 2.2.16, 2.3.x versions prior to 2.3.10, 2.4.x versions prior to 2.4.3, contains a reflected cross site scripting vulnerability. A remote user that is able to convince an Operations Manager user to interact with malicious content could execute arbitrary JavaScript in the user\u0027s browser."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Cross-site Scripting (XSS) - Reflected",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-03-12T09:57:01.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "name": "107344",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/107344"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2019-3776"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Reflected XSS in Pivotal Operations Manager",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "DATE_PUBLIC": "2019-02-20T00:00:00.000Z",
              "ID": "CVE-2019-3776",
              "STATE": "PUBLIC",
              "TITLE": "Reflected XSS in Pivotal Operations Manager"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pivotal Ops Manager",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.2",
                                "version_value": "2.2.16"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.3",
                                "version_value": "2.3.10"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.4",
                                "version_value": "2.4.3"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.1",
                                "version_value": "2.1.19"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Operations Manager, 2.1.x versions prior to 2.1.20, 2.2.x versions prior to 2.2.16, 2.3.x versions prior to 2.3.10, 2.4.x versions prior to 2.4.3, contains a reflected cross site scripting vulnerability. A remote user that is able to convince an Operations Manager user to interact with malicious content could execute arbitrary JavaScript in the user\u0027s browser."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:L",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79: Cross-site Scripting (XSS) - Reflected"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "107344",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/107344"
                },
                {
                  "name": "https://pivotal.io/security/cve-2019-3776",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2019-3776"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2019-3776",
        "datePublished": "2019-03-07T19:00:00.000Z",
        "dateReserved": "2019-01-03T00:00:00.000Z",
        "dateUpdated": "2024-09-17T00:11:48.970Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-11292 (GCVE-0-2019-11292)

    Vulnerability from cvelistv5 – Published: 2020-01-08 23:55 – Updated: 2024-09-16 18:54
    VLAI
    Title
    Pivotal Ops Manager logs query parameters in tomcat access file
    Summary
    Pivotal Ops Manager, versions 2.4.x prior to 2.4.27, 2.5.x prior to 2.5.24, 2.6.x prior to 2.6.16, and 2.7.x prior to 2.7.5, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well.
    CWE
    • CWE-532 - Inclusion of Sensitive Information in Log Files
    Assigner
    References
    URL Tags
    https://pivotal.io/security/cve-2019-11292 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Pivotal Ops Manager Affected: 2.7 , < 2.7.5 (custom)
    Affected: 2.6 , < 2.6.16 (custom)
    Affected: 2.5 , < 2.5.24 (custom)
    Affected: 2.4 , < 2.4.27 (custom)
    Create a notification for this product.
    Date Public
    2020-01-08 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T22:48:09.097Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2019-11292"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pivotal Ops Manager",
              "vendor": "Pivotal",
              "versions": [
                {
                  "lessThan": "2.7.5",
                  "status": "affected",
                  "version": "2.7",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.6.16",
                  "status": "affected",
                  "version": "2.6",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.5.24",
                  "status": "affected",
                  "version": "2.5",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.4.27",
                  "status": "affected",
                  "version": "2.4",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-01-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Ops Manager, versions 2.4.x prior to 2.4.27, 2.5.x prior to 2.5.24, 2.6.x prior to 2.6.16, and 2.7.x prior to 2.7.5, logs all query parameters to tomcat\u2019s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532: Inclusion of Sensitive Information in Log Files",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-01-08T23:55:12.000Z",
            "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
            "shortName": "pivotal"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2019-11292"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Pivotal Ops Manager logs query parameters in tomcat access file",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@pivotal.io",
              "DATE_PUBLIC": "2020-01-08T22:57:26.000Z",
              "ID": "CVE-2019-11292",
              "STATE": "PUBLIC",
              "TITLE": "Pivotal Ops Manager logs query parameters in tomcat access file"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pivotal Ops Manager",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.7",
                                "version_value": "2.7.5"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.6",
                                "version_value": "2.6.16"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.5",
                                "version_value": "2.5.24"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.4",
                                "version_value": "2.4.27"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Ops Manager, versions 2.4.x prior to 2.4.27, 2.5.x prior to 2.5.24, 2.6.x prior to 2.6.16, and 2.7.x prior to 2.7.5, logs all query parameters to tomcat\u2019s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-532: Inclusion of Sensitive Information in Log Files"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://pivotal.io/security/cve-2019-11292",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2019-11292"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
        "assignerShortName": "pivotal",
        "cveId": "CVE-2019-11292",
        "datePublished": "2020-01-08T23:55:12.316Z",
        "dateReserved": "2019-04-18T00:00:00.000Z",
        "dateUpdated": "2024-09-16T18:54:10.028Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-3790 (GCVE-0-2019-3790)

    Vulnerability from cvelistv5 – Published: 2019-06-06 19:16 – Updated: 2024-09-16 22:20
    VLAI
    Title
    Ops Manager uaa client issues tokens after refresh token expiration
    Summary
    The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources.
    CWE
    • CWE-324 - Use of a Key Past its Expiration Date
    Assigner
    References
    URL Tags
    http://www.securityfocus.com/bid/108512 vdb-entryx_refsource_BID
    https://pivotal.io/security/cve-2019-3790 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Pivotal Ops Manager Affected: 2.3 , < 2.3.16 (custom)
    Affected: 2.4 , < 2.4.11 (custom)
    Affected: 2.2 , < 2.2.23 (custom)
    Affected: 2.5 , < 2.5.3 (custom)
    Create a notification for this product.
    Date Public
    2019-05-28 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T19:19:18.470Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "108512",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/108512"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2019-3790"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pivotal Ops Manager",
              "vendor": "Pivotal",
              "versions": [
                {
                  "lessThan": "2.3.16",
                  "status": "affected",
                  "version": "2.3",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.4.11",
                  "status": "affected",
                  "version": "2.4",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.2.23",
                  "status": "affected",
                  "version": "2.2",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.5.3",
                  "status": "affected",
                  "version": "2.5",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2019-05-28T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-324",
                  "description": "CWE-324: Use of a Key Past its Expiration Date",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-06-06T19:17:33.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "name": "108512",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/108512"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2019-3790"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Ops Manager uaa client issues tokens after refresh token expiration",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "DATE_PUBLIC": "2019-05-28T13:47:10.000Z",
              "ID": "CVE-2019-3790",
              "STATE": "PUBLIC",
              "TITLE": "Ops Manager uaa client issues tokens after refresh token expiration"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pivotal Ops Manager",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.3",
                                "version_value": "2.3.16"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.4",
                                "version_value": "2.4.11"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.2",
                                "version_value": "2.2.23"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.5",
                                "version_value": "2.5.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-324: Use of a Key Past its Expiration Date"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "108512",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/108512"
                },
                {
                  "name": "https://pivotal.io/security/cve-2019-3790",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2019-3790"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2019-3790",
        "datePublished": "2019-06-06T19:16:16.854Z",
        "dateReserved": "2019-01-03T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:20:48.221Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-3776 (GCVE-0-2019-3776)

    Vulnerability from cvelistv5 – Published: 2019-03-07 19:00 – Updated: 2024-09-17 00:11
    VLAI
    Title
    Reflected XSS in Pivotal Operations Manager
    Summary
    Pivotal Operations Manager, 2.1.x versions prior to 2.1.20, 2.2.x versions prior to 2.2.16, 2.3.x versions prior to 2.3.10, 2.4.x versions prior to 2.4.3, contains a reflected cross site scripting vulnerability. A remote user that is able to convince an Operations Manager user to interact with malicious content could execute arbitrary JavaScript in the user's browser.
    CWE
    • CWE-79 - Cross-site Scripting (XSS) - Reflected
    Assigner
    References
    URL Tags
    http://www.securityfocus.com/bid/107344 vdb-entryx_refsource_BID
    https://pivotal.io/security/cve-2019-3776 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Pivotal Ops Manager Affected: 2.2 , < 2.2.16 (custom)
    Affected: 2.3 , < 2.3.10 (custom)
    Affected: 2.4 , < 2.4.3 (custom)
    Affected: 2.1 , < 2.1.19 (custom)
    Create a notification for this product.
    Date Public
    2019-02-20 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T19:19:18.239Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "107344",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/107344"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2019-3776"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pivotal Ops Manager",
              "vendor": "Pivotal",
              "versions": [
                {
                  "lessThan": "2.2.16",
                  "status": "affected",
                  "version": "2.2",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.3.10",
                  "status": "affected",
                  "version": "2.3",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.4.3",
                  "status": "affected",
                  "version": "2.4",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.1.19",
                  "status": "affected",
                  "version": "2.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2019-02-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Operations Manager, 2.1.x versions prior to 2.1.20, 2.2.x versions prior to 2.2.16, 2.3.x versions prior to 2.3.10, 2.4.x versions prior to 2.4.3, contains a reflected cross site scripting vulnerability. A remote user that is able to convince an Operations Manager user to interact with malicious content could execute arbitrary JavaScript in the user\u0027s browser."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Cross-site Scripting (XSS) - Reflected",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-03-12T09:57:01.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "name": "107344",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/107344"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2019-3776"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Reflected XSS in Pivotal Operations Manager",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "DATE_PUBLIC": "2019-02-20T00:00:00.000Z",
              "ID": "CVE-2019-3776",
              "STATE": "PUBLIC",
              "TITLE": "Reflected XSS in Pivotal Operations Manager"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pivotal Ops Manager",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.2",
                                "version_value": "2.2.16"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.3",
                                "version_value": "2.3.10"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.4",
                                "version_value": "2.4.3"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.1",
                                "version_value": "2.1.19"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Operations Manager, 2.1.x versions prior to 2.1.20, 2.2.x versions prior to 2.2.16, 2.3.x versions prior to 2.3.10, 2.4.x versions prior to 2.4.3, contains a reflected cross site scripting vulnerability. A remote user that is able to convince an Operations Manager user to interact with malicious content could execute arbitrary JavaScript in the user\u0027s browser."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:L",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79: Cross-site Scripting (XSS) - Reflected"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "107344",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/107344"
                },
                {
                  "name": "https://pivotal.io/security/cve-2019-3776",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2019-3776"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2019-3776",
        "datePublished": "2019-03-07T19:00:00.000Z",
        "dateReserved": "2019-01-03T00:00:00.000Z",
        "dateUpdated": "2024-09-17T00:11:48.970Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }