Search

Find a vulnerability

Search criteria

    20 vulnerabilities found for operations_manager by pivotal_software

    CVE-2019-11292 (GCVE-0-2019-11292)

    Vulnerability from nvd – Published: 2020-01-08 23:55 – Updated: 2024-09-16 18:54
    VLAI
    Title
    Pivotal Ops Manager logs query parameters in tomcat access file
    Summary
    Pivotal Ops Manager, versions 2.4.x prior to 2.4.27, 2.5.x prior to 2.5.24, 2.6.x prior to 2.6.16, and 2.7.x prior to 2.7.5, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well.
    CWE
    • CWE-532 - Inclusion of Sensitive Information in Log Files
    Assigner
    References
    URL Tags
    https://pivotal.io/security/cve-2019-11292 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Pivotal Ops Manager Affected: 2.7 , < 2.7.5 (custom)
    Affected: 2.6 , < 2.6.16 (custom)
    Affected: 2.5 , < 2.5.24 (custom)
    Affected: 2.4 , < 2.4.27 (custom)
    Create a notification for this product.
    Date Public
    2020-01-08 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T22:48:09.097Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2019-11292"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pivotal Ops Manager",
              "vendor": "Pivotal",
              "versions": [
                {
                  "lessThan": "2.7.5",
                  "status": "affected",
                  "version": "2.7",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.6.16",
                  "status": "affected",
                  "version": "2.6",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.5.24",
                  "status": "affected",
                  "version": "2.5",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.4.27",
                  "status": "affected",
                  "version": "2.4",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-01-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Ops Manager, versions 2.4.x prior to 2.4.27, 2.5.x prior to 2.5.24, 2.6.x prior to 2.6.16, and 2.7.x prior to 2.7.5, logs all query parameters to tomcat\u2019s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532: Inclusion of Sensitive Information in Log Files",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-01-08T23:55:12.000Z",
            "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
            "shortName": "pivotal"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2019-11292"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Pivotal Ops Manager logs query parameters in tomcat access file",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@pivotal.io",
              "DATE_PUBLIC": "2020-01-08T22:57:26.000Z",
              "ID": "CVE-2019-11292",
              "STATE": "PUBLIC",
              "TITLE": "Pivotal Ops Manager logs query parameters in tomcat access file"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pivotal Ops Manager",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.7",
                                "version_value": "2.7.5"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.6",
                                "version_value": "2.6.16"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.5",
                                "version_value": "2.5.24"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.4",
                                "version_value": "2.4.27"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Ops Manager, versions 2.4.x prior to 2.4.27, 2.5.x prior to 2.5.24, 2.6.x prior to 2.6.16, and 2.7.x prior to 2.7.5, logs all query parameters to tomcat\u2019s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-532: Inclusion of Sensitive Information in Log Files"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://pivotal.io/security/cve-2019-11292",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2019-11292"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
        "assignerShortName": "pivotal",
        "cveId": "CVE-2019-11292",
        "datePublished": "2020-01-08T23:55:12.316Z",
        "dateReserved": "2019-04-18T00:00:00.000Z",
        "dateUpdated": "2024-09-16T18:54:10.028Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-11270 (GCVE-0-2019-11270)

    Vulnerability from nvd – Published: 2019-08-05 16:21 – Updated: 2024-09-17 04:19
    VLAI
    Title
    UAA clients.write vulnerability
    Summary
    Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' and create clients with arbitrary scopes that the creator does not possess.
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cloud Foundry UAA Release (OSS) Affected: prior to v73.4.0
    Create a notification for this product.
    Date Public
    2019-08-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T22:48:09.048Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cloudfoundry.org/blog/cve-2019-11270"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2019-11270"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "UAA Release (OSS)",
              "vendor": "Cloud Foundry",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to v73.4.0"
                }
              ]
            }
          ],
          "datePublic": "2019-08-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the \u0027clients.write\u0027 authority or scope can bypass the restrictions imposed on clients created via \u0027clients.write\u0027 and create clients with arbitrary scopes that the creator does not possess."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269: Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-08-20T18:50:49.000Z",
            "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
            "shortName": "pivotal"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cloudfoundry.org/blog/cve-2019-11270"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2019-11270"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "UAA clients.write vulnerability",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@pivotal.io",
              "DATE_PUBLIC": "2019-08-01T00:00:00.000Z",
              "ID": "CVE-2019-11270",
              "STATE": "PUBLIC",
              "TITLE": "UAA clients.write vulnerability"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "UAA Release (OSS)",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "prior to v73.4.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cloud Foundry"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the \u0027clients.write\u0027 authority or scope can bypass the restrictions imposed on clients created via \u0027clients.write\u0027 and create clients with arbitrary scopes that the creator does not possess."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-269: Improper Privilege Management"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cloudfoundry.org/blog/cve-2019-11270",
                  "refsource": "CONFIRM",
                  "url": "https://www.cloudfoundry.org/blog/cve-2019-11270"
                },
                {
                  "name": "https://pivotal.io/security/cve-2019-11270",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2019-11270"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
        "assignerShortName": "pivotal",
        "cveId": "CVE-2019-11270",
        "datePublished": "2019-08-05T16:21:54.798Z",
        "dateReserved": "2019-04-18T00:00:00.000Z",
        "dateUpdated": "2024-09-17T04:19:01.006Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-3790 (GCVE-0-2019-3790)

    Vulnerability from nvd – Published: 2019-06-06 19:16 – Updated: 2024-09-16 22:20
    VLAI
    Title
    Ops Manager uaa client issues tokens after refresh token expiration
    Summary
    The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources.
    CWE
    • CWE-324 - Use of a Key Past its Expiration Date
    Assigner
    References
    URL Tags
    http://www.securityfocus.com/bid/108512 vdb-entryx_refsource_BID
    https://pivotal.io/security/cve-2019-3790 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Pivotal Ops Manager Affected: 2.3 , < 2.3.16 (custom)
    Affected: 2.4 , < 2.4.11 (custom)
    Affected: 2.2 , < 2.2.23 (custom)
    Affected: 2.5 , < 2.5.3 (custom)
    Create a notification for this product.
    Date Public
    2019-05-28 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T19:19:18.470Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "108512",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/108512"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2019-3790"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pivotal Ops Manager",
              "vendor": "Pivotal",
              "versions": [
                {
                  "lessThan": "2.3.16",
                  "status": "affected",
                  "version": "2.3",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.4.11",
                  "status": "affected",
                  "version": "2.4",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.2.23",
                  "status": "affected",
                  "version": "2.2",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.5.3",
                  "status": "affected",
                  "version": "2.5",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2019-05-28T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-324",
                  "description": "CWE-324: Use of a Key Past its Expiration Date",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-06-06T19:17:33.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "name": "108512",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/108512"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2019-3790"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Ops Manager uaa client issues tokens after refresh token expiration",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "DATE_PUBLIC": "2019-05-28T13:47:10.000Z",
              "ID": "CVE-2019-3790",
              "STATE": "PUBLIC",
              "TITLE": "Ops Manager uaa client issues tokens after refresh token expiration"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pivotal Ops Manager",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.3",
                                "version_value": "2.3.16"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.4",
                                "version_value": "2.4.11"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.2",
                                "version_value": "2.2.23"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.5",
                                "version_value": "2.5.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-324: Use of a Key Past its Expiration Date"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "108512",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/108512"
                },
                {
                  "name": "https://pivotal.io/security/cve-2019-3790",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2019-3790"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2019-3790",
        "datePublished": "2019-06-06T19:16:16.854Z",
        "dateReserved": "2019-01-03T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:20:48.221Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-3776 (GCVE-0-2019-3776)

    Vulnerability from nvd – Published: 2019-03-07 19:00 – Updated: 2024-09-17 00:11
    VLAI
    Title
    Reflected XSS in Pivotal Operations Manager
    Summary
    Pivotal Operations Manager, 2.1.x versions prior to 2.1.20, 2.2.x versions prior to 2.2.16, 2.3.x versions prior to 2.3.10, 2.4.x versions prior to 2.4.3, contains a reflected cross site scripting vulnerability. A remote user that is able to convince an Operations Manager user to interact with malicious content could execute arbitrary JavaScript in the user's browser.
    CWE
    • CWE-79 - Cross-site Scripting (XSS) - Reflected
    Assigner
    References
    URL Tags
    http://www.securityfocus.com/bid/107344 vdb-entryx_refsource_BID
    https://pivotal.io/security/cve-2019-3776 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Pivotal Ops Manager Affected: 2.2 , < 2.2.16 (custom)
    Affected: 2.3 , < 2.3.10 (custom)
    Affected: 2.4 , < 2.4.3 (custom)
    Affected: 2.1 , < 2.1.19 (custom)
    Create a notification for this product.
    Date Public
    2019-02-20 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T19:19:18.239Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "107344",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/107344"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2019-3776"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pivotal Ops Manager",
              "vendor": "Pivotal",
              "versions": [
                {
                  "lessThan": "2.2.16",
                  "status": "affected",
                  "version": "2.2",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.3.10",
                  "status": "affected",
                  "version": "2.3",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.4.3",
                  "status": "affected",
                  "version": "2.4",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.1.19",
                  "status": "affected",
                  "version": "2.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2019-02-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Operations Manager, 2.1.x versions prior to 2.1.20, 2.2.x versions prior to 2.2.16, 2.3.x versions prior to 2.3.10, 2.4.x versions prior to 2.4.3, contains a reflected cross site scripting vulnerability. A remote user that is able to convince an Operations Manager user to interact with malicious content could execute arbitrary JavaScript in the user\u0027s browser."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Cross-site Scripting (XSS) - Reflected",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-03-12T09:57:01.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "name": "107344",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/107344"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2019-3776"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Reflected XSS in Pivotal Operations Manager",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "DATE_PUBLIC": "2019-02-20T00:00:00.000Z",
              "ID": "CVE-2019-3776",
              "STATE": "PUBLIC",
              "TITLE": "Reflected XSS in Pivotal Operations Manager"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pivotal Ops Manager",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.2",
                                "version_value": "2.2.16"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.3",
                                "version_value": "2.3.10"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.4",
                                "version_value": "2.4.3"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.1",
                                "version_value": "2.1.19"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Operations Manager, 2.1.x versions prior to 2.1.20, 2.2.x versions prior to 2.2.16, 2.3.x versions prior to 2.3.10, 2.4.x versions prior to 2.4.3, contains a reflected cross site scripting vulnerability. A remote user that is able to convince an Operations Manager user to interact with malicious content could execute arbitrary JavaScript in the user\u0027s browser."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:L",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79: Cross-site Scripting (XSS) - Reflected"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "107344",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/107344"
                },
                {
                  "name": "https://pivotal.io/security/cve-2019-3776",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2019-3776"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2019-3776",
        "datePublished": "2019-03-07T19:00:00.000Z",
        "dateReserved": "2019-01-03T00:00:00.000Z",
        "dateUpdated": "2024-09-17T00:11:48.970Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-15762 (GCVE-0-2018-15762)

    Vulnerability from nvd – Published: 2018-11-02 22:00 – Updated: 2024-09-16 18:54
    VLAI
    Title
    Pivotal Operations Manager gives all users heightened privileges
    Summary
    Pivotal Operations Manager, versions 2.0.x prior to 2.0.24, versions 2.1.x prior to 2.1.15, versions 2.2.x prior to 2.2.7, and versions 2.3.x prior to 2.3.1, grants all users a scope which allows for privilege escalation. A remote malicious user who has been authenticated may create a new client with administrator privileges for Opsman.
    CWE
    • Improper Authorization
    Assigner
    References
    URL Tags
    https://pivotal.io/security/cve-2018-15762 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Cloud Foundry Pivotal Operations Manager Affected: 2.0.x , < 2.0.24 (custom)
    Affected: 2.1.x , < 2.1.15 (custom)
    Affected: 2.2.x , < 2.2.7 (custom)
    Affected: 2.3.x , < 2.3.1 (custom)
    Create a notification for this product.
    Date Public
    2018-10-29 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:01:54.588Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2018-15762"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pivotal Operations Manager",
              "vendor": "Pivotal Cloud Foundry",
              "versions": [
                {
                  "lessThan": "2.0.24",
                  "status": "affected",
                  "version": "2.0.x",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.1.15",
                  "status": "affected",
                  "version": "2.1.x",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.2.7",
                  "status": "affected",
                  "version": "2.2.x",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.3.1",
                  "status": "affected",
                  "version": "2.3.x",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2018-10-29T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Operations Manager, versions 2.0.x prior to 2.0.24, versions 2.1.x prior to 2.1.15, versions 2.2.x prior to 2.2.7, and versions 2.3.x prior to 2.3.1, grants all users a scope which allows for privilege escalation. A remote malicious user who has been authenticated may create a new client with administrator privileges for Opsman."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-11-02T21:57:01.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2018-15762"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Pivotal Operations Manager gives all users heightened privileges",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "DATE_PUBLIC": "2018-10-29T07:00:00.000Z",
              "ID": "CVE-2018-15762",
              "STATE": "PUBLIC",
              "TITLE": "Pivotal Operations Manager gives all users heightened privileges"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pivotal Operations Manager",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.0.x",
                                "version_value": "2.0.24"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.1.x",
                                "version_value": "2.1.15"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.2.x",
                                "version_value": "2.2.7"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.3.x",
                                "version_value": "2.3.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal Cloud Foundry"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Operations Manager, versions 2.0.x prior to 2.0.24, versions 2.1.x prior to 2.1.15, versions 2.2.x prior to 2.2.7, and versions 2.3.x prior to 2.3.1, grants all users a scope which allows for privilege escalation. A remote malicious user who has been authenticated may create a new client with administrator privileges for Opsman."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper Authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://pivotal.io/security/cve-2018-15762",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2018-15762"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2018-15762",
        "datePublished": "2018-11-02T22:00:00.000Z",
        "dateReserved": "2018-08-23T00:00:00.000Z",
        "dateUpdated": "2024-09-16T18:54:15.856Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-11081 (GCVE-0-2018-11081)

    Vulnerability from nvd – Published: 2018-10-05 21:00 – Updated: 2024-09-17 01:26
    VLAI
    Title
    Pivotal Operations Manager UAA config - temp Ram Disk
    Summary
    Pivotal Operations Manager, versions 2.2.x prior to 2.2.1, 2.1.x prior to 2.1.11, 2.0.x prior to 2.0.16, and 1.11.x prior to 2, fails to write the Operations Manager UAA config onto the temp RAM disk, thus exposing the configs directly onto disk. A remote user that has gained access to the Operations Manager VM, can now file search and find the UAA credentials for Operations Manager on the system disk..
    CWE
    • Cleartext Storage in a File or on Disk
    Assigner
    References
    URL Tags
    https://pivotal.io/security/cve-2018-11081 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal pivotal-ops-manager Affected: 1.11.x , ≤ 2 (custom)
    Affected: 2.0.x , < 2.0.16 (custom)
    Affected: 2.1.x , < 2.1.11 (custom)
    Affected: 2.2.x , < 2.2.1 (custom)
    Create a notification for this product.
    Date Public
    2018-09-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:54:36.568Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2018-11081"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pivotal-ops-manager",
              "vendor": "Pivotal",
              "versions": [
                {
                  "lessThanOrEqual": "2",
                  "status": "affected",
                  "version": "1.11.x",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.0.16",
                  "status": "affected",
                  "version": "2.0.x",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.1.11",
                  "status": "affected",
                  "version": "2.1.x",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.2.1",
                  "status": "affected",
                  "version": "2.2.x",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2018-09-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Operations Manager, versions 2.2.x prior to 2.2.1, 2.1.x prior to 2.1.11, 2.0.x prior to 2.0.16, and 1.11.x prior to 2, fails to write the Operations Manager UAA config onto the temp RAM disk, thus exposing the configs directly onto disk. A remote user that has gained access to the Operations Manager VM, can now file search and find the UAA credentials for Operations Manager on the system disk.."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.9,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cleartext Storage in a File or on Disk",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-10-05T20:57:01.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2018-11081"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Pivotal Operations Manager UAA config - temp Ram Disk",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "DATE_PUBLIC": "2018-09-27T07:00:00.000Z",
              "ID": "CVE-2018-11081",
              "STATE": "PUBLIC",
              "TITLE": "Pivotal Operations Manager UAA config - temp Ram Disk"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "pivotal-ops-manager",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "1.11.x",
                                "version_value": "2"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.0.x",
                                "version_value": "2.0.16"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.1.x",
                                "version_value": "2.1.11"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.2.x",
                                "version_value": "2.2.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Operations Manager, versions 2.2.x prior to 2.2.1, 2.1.x prior to 2.1.11, 2.0.x prior to 2.0.16, and 1.11.x prior to 2, fails to write the Operations Manager UAA config onto the temp RAM disk, thus exposing the configs directly onto disk. A remote user that has gained access to the Operations Manager VM, can now file search and find the UAA credentials for Operations Manager on the system disk.."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.9,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cleartext Storage in a File or on Disk"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://pivotal.io/security/cve-2018-11081",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2018-11081"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2018-11081",
        "datePublished": "2018-10-05T21:00:00.000Z",
        "dateReserved": "2018-05-14T00:00:00.000Z",
        "dateUpdated": "2024-09-17T01:26:01.975Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-11045 (GCVE-0-2018-11045)

    Vulnerability from nvd – Published: 2018-07-11 20:00 – Updated: 2024-09-16 22:56
    VLAI
    Summary
    Pivotal Operations Manager, versions 2.1 prior to 2.1.6 and 2.0 prior to 2.0.15 and 1.12 prior to 1.12.22, contains a static Linux Random Number Generator (LRNG) seed file embedded in the appliance image. An attacker with knowledge of the exact version and IaaS of a running OpsManager could get the contents of the corresponding seed from the published image and therefore infer the initial state of the LRNG.
    Severity
    No CVSS data available.
    CWE
    • Random number generation
    Assigner
    References
    URL Tags
    https://pivotal.io/security/cve-2018-11045 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Pivotal Operations Manager Affected: 2.1 , < 2.1.6 (custom)
    Affected: 2.0 , < 2.0.15 (custom)
    Affected: 1.12 , < 1.12.22 (custom)
    Create a notification for this product.
    Date Public
    2018-07-10 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:54:36.497Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2018-11045"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pivotal Operations Manager",
              "vendor": "Pivotal",
              "versions": [
                {
                  "lessThan": "2.1.6",
                  "status": "affected",
                  "version": "2.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.0.15",
                  "status": "affected",
                  "version": "2.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "1.12.22",
                  "status": "affected",
                  "version": "1.12",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2018-07-10T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Operations Manager, versions 2.1 prior to 2.1.6 and 2.0 prior to 2.0.15 and 1.12 prior to 1.12.22, contains a static Linux Random Number Generator (LRNG) seed file embedded in the appliance image. An attacker with knowledge of the exact version and IaaS of a running OpsManager could get the contents of the corresponding seed from the published image and therefore infer the initial state of the LRNG."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Random number generation",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-07-11T19:57:01.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2018-11045"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "DATE_PUBLIC": "2018-07-10T04:00:00.000Z",
              "ID": "CVE-2018-11045",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pivotal Operations Manager",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.1",
                                "version_value": "2.1.6"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.0",
                                "version_value": "2.0.15"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "1.12",
                                "version_value": "1.12.22"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Operations Manager, versions 2.1 prior to 2.1.6 and 2.0 prior to 2.0.15 and 1.12 prior to 1.12.22, contains a static Linux Random Number Generator (LRNG) seed file embedded in the appliance image. An attacker with knowledge of the exact version and IaaS of a running OpsManager could get the contents of the corresponding seed from the published image and therefore infer the initial state of the LRNG."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Random number generation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://pivotal.io/security/cve-2018-11045",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2018-11045"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2018-11045",
        "datePublished": "2018-07-11T20:00:00.000Z",
        "dateReserved": "2018-05-14T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:56:33.333Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-11046 (GCVE-0-2018-11046)

    Vulnerability from nvd – Published: 2018-06-25 15:00 – Updated: 2024-09-16 22:55
    VLAI
    Summary
    Pivotal Operations Manager, versions 2.1.x prior to 2.1.6 and version 2.0.14, includes NGINX packages that lacks security vulnerability patches. An attacker with access to the NGINX processes and knowledge of how to exploit the unpatched vulnerabilities may be able to impact Operations Manager
    Severity
    No CVSS data available.
    CWE
    • unpatched vulnerabilities
    Assigner
    References
    URL Tags
    http://www.securityfocus.com/bid/104545 vdb-entryx_refsource_BID
    https://pivotal.io/security/cve-2018-11046 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Operations Manager Affected: 2.0.14
    Affected: 2.1.x , < 2.1.6 (custom)
    Create a notification for this product.
    Date Public
    2018-06-20 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:54:36.558Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "104545",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/104545"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2018-11046"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Operations Manager",
              "vendor": "Pivotal",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.0.14"
                },
                {
                  "lessThan": "2.1.6",
                  "status": "affected",
                  "version": "2.1.x",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2018-06-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Operations Manager, versions 2.1.x prior to 2.1.6 and version 2.0.14, includes NGINX packages that lacks security vulnerability patches. An attacker with access to the NGINX processes and knowledge of how to exploit the unpatched vulnerabilities may be able to impact Operations Manager"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "unpatched vulnerabilities",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-06-26T09:57:02.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "name": "104545",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/104545"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2018-11046"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "DATE_PUBLIC": "2018-06-20T04:00:00.000Z",
              "ID": "CVE-2018-11046",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Operations Manager",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.1.x",
                                "version_value": "2.1.6"
                              },
                              {
                                "affected": "=",
                                "version_affected": "=",
                                "version_value": "2.0.14"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Operations Manager, versions 2.1.x prior to 2.1.6 and version 2.0.14, includes NGINX packages that lacks security vulnerability patches. An attacker with access to the NGINX processes and knowledge of how to exploit the unpatched vulnerabilities may be able to impact Operations Manager"
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "unpatched vulnerabilities"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "104545",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/104545"
                },
                {
                  "name": "https://pivotal.io/security/cve-2018-11046",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2018-11046"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2018-11046",
        "datePublished": "2018-06-25T15:00:00.000Z",
        "dateReserved": "2018-05-14T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:55:25.495Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2016-0897 (GCVE-0-2016-0897)

    Vulnerability from nvd – Published: 2016-09-18 01:00 – Updated: 2024-08-05 22:38
    VLAI
    Summary
    Pivotal Cloud Foundry (PCF) Ops Manager before 1.6.17 and 1.7.x before 1.7.8, when vCloud or vSphere is used, does not properly enable SSH access for operators, which has unspecified impact and remote attack vectors.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    https://pivotal.io/security/cve-2016-0897 x_refsource_CONFIRM
    Date Public
    2016-09-13 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T22:38:41.208Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2016-0897"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2016-09-13T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Cloud Foundry (PCF) Ops Manager before 1.6.17 and 1.7.x before 1.7.8, when vCloud or vSphere is used, does not properly enable SSH access for operators, which has unspecified impact and remote attack vectors."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2016-09-18T01:57:01.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2016-0897"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "ID": "CVE-2016-0897",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Cloud Foundry (PCF) Ops Manager before 1.6.17 and 1.7.x before 1.7.8, when vCloud or vSphere is used, does not properly enable SSH access for operators, which has unspecified impact and remote attack vectors."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://pivotal.io/security/cve-2016-0897",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2016-0897"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2016-0897",
        "datePublished": "2016-09-18T01:00:00.000Z",
        "dateReserved": "2015-12-17T00:00:00.000Z",
        "dateUpdated": "2024-08-05T22:38:41.208Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2016-0883 (GCVE-0-2016-0883)

    Vulnerability from nvd – Published: 2016-09-18 01:00 – Updated: 2024-08-05 22:30
    VLAI
    Summary
    Pivotal Cloud Foundry (PCF) Ops Manager before 1.5.14 and 1.6.x before 1.6.9 uses the same cookie-encryption key across different customers' installations, which allows remote attackers to bypass session authentication by leveraging knowledge of this key from another installation.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2016-09-13 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T22:30:05.133Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/pcf-ops-manager-weak-authentication-scheme"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2016-09-13T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Cloud Foundry (PCF) Ops Manager before 1.5.14 and 1.6.x before 1.6.9 uses the same cookie-encryption key across different customers\u0027 installations, which allows remote attackers to bypass session authentication by leveraging knowledge of this key from another installation."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2016-09-18T01:57:01.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/pcf-ops-manager-weak-authentication-scheme"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "ID": "CVE-2016-0883",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Cloud Foundry (PCF) Ops Manager before 1.5.14 and 1.6.x before 1.6.9 uses the same cookie-encryption key across different customers\u0027 installations, which allows remote attackers to bypass session authentication by leveraging knowledge of this key from another installation."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://pivotal.io/security/pcf-ops-manager-weak-authentication-scheme",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/pcf-ops-manager-weak-authentication-scheme"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2016-0883",
        "datePublished": "2016-09-18T01:00:00.000Z",
        "dateReserved": "2015-12-17T00:00:00.000Z",
        "dateUpdated": "2024-08-05T22:30:05.133Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-11292 (GCVE-0-2019-11292)

    Vulnerability from cvelistv5 – Published: 2020-01-08 23:55 – Updated: 2024-09-16 18:54
    VLAI
    Title
    Pivotal Ops Manager logs query parameters in tomcat access file
    Summary
    Pivotal Ops Manager, versions 2.4.x prior to 2.4.27, 2.5.x prior to 2.5.24, 2.6.x prior to 2.6.16, and 2.7.x prior to 2.7.5, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well.
    CWE
    • CWE-532 - Inclusion of Sensitive Information in Log Files
    Assigner
    References
    URL Tags
    https://pivotal.io/security/cve-2019-11292 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Pivotal Ops Manager Affected: 2.7 , < 2.7.5 (custom)
    Affected: 2.6 , < 2.6.16 (custom)
    Affected: 2.5 , < 2.5.24 (custom)
    Affected: 2.4 , < 2.4.27 (custom)
    Create a notification for this product.
    Date Public
    2020-01-08 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T22:48:09.097Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2019-11292"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pivotal Ops Manager",
              "vendor": "Pivotal",
              "versions": [
                {
                  "lessThan": "2.7.5",
                  "status": "affected",
                  "version": "2.7",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.6.16",
                  "status": "affected",
                  "version": "2.6",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.5.24",
                  "status": "affected",
                  "version": "2.5",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.4.27",
                  "status": "affected",
                  "version": "2.4",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-01-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Ops Manager, versions 2.4.x prior to 2.4.27, 2.5.x prior to 2.5.24, 2.6.x prior to 2.6.16, and 2.7.x prior to 2.7.5, logs all query parameters to tomcat\u2019s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532: Inclusion of Sensitive Information in Log Files",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-01-08T23:55:12.000Z",
            "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
            "shortName": "pivotal"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2019-11292"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Pivotal Ops Manager logs query parameters in tomcat access file",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@pivotal.io",
              "DATE_PUBLIC": "2020-01-08T22:57:26.000Z",
              "ID": "CVE-2019-11292",
              "STATE": "PUBLIC",
              "TITLE": "Pivotal Ops Manager logs query parameters in tomcat access file"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pivotal Ops Manager",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.7",
                                "version_value": "2.7.5"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.6",
                                "version_value": "2.6.16"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.5",
                                "version_value": "2.5.24"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.4",
                                "version_value": "2.4.27"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Ops Manager, versions 2.4.x prior to 2.4.27, 2.5.x prior to 2.5.24, 2.6.x prior to 2.6.16, and 2.7.x prior to 2.7.5, logs all query parameters to tomcat\u2019s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-532: Inclusion of Sensitive Information in Log Files"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://pivotal.io/security/cve-2019-11292",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2019-11292"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
        "assignerShortName": "pivotal",
        "cveId": "CVE-2019-11292",
        "datePublished": "2020-01-08T23:55:12.316Z",
        "dateReserved": "2019-04-18T00:00:00.000Z",
        "dateUpdated": "2024-09-16T18:54:10.028Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-11270 (GCVE-0-2019-11270)

    Vulnerability from cvelistv5 – Published: 2019-08-05 16:21 – Updated: 2024-09-17 04:19
    VLAI
    Title
    UAA clients.write vulnerability
    Summary
    Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' and create clients with arbitrary scopes that the creator does not possess.
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cloud Foundry UAA Release (OSS) Affected: prior to v73.4.0
    Create a notification for this product.
    Date Public
    2019-08-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T22:48:09.048Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cloudfoundry.org/blog/cve-2019-11270"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2019-11270"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "UAA Release (OSS)",
              "vendor": "Cloud Foundry",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to v73.4.0"
                }
              ]
            }
          ],
          "datePublic": "2019-08-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the \u0027clients.write\u0027 authority or scope can bypass the restrictions imposed on clients created via \u0027clients.write\u0027 and create clients with arbitrary scopes that the creator does not possess."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269: Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-08-20T18:50:49.000Z",
            "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
            "shortName": "pivotal"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cloudfoundry.org/blog/cve-2019-11270"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2019-11270"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "UAA clients.write vulnerability",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@pivotal.io",
              "DATE_PUBLIC": "2019-08-01T00:00:00.000Z",
              "ID": "CVE-2019-11270",
              "STATE": "PUBLIC",
              "TITLE": "UAA clients.write vulnerability"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "UAA Release (OSS)",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "prior to v73.4.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cloud Foundry"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the \u0027clients.write\u0027 authority or scope can bypass the restrictions imposed on clients created via \u0027clients.write\u0027 and create clients with arbitrary scopes that the creator does not possess."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-269: Improper Privilege Management"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cloudfoundry.org/blog/cve-2019-11270",
                  "refsource": "CONFIRM",
                  "url": "https://www.cloudfoundry.org/blog/cve-2019-11270"
                },
                {
                  "name": "https://pivotal.io/security/cve-2019-11270",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2019-11270"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
        "assignerShortName": "pivotal",
        "cveId": "CVE-2019-11270",
        "datePublished": "2019-08-05T16:21:54.798Z",
        "dateReserved": "2019-04-18T00:00:00.000Z",
        "dateUpdated": "2024-09-17T04:19:01.006Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-3790 (GCVE-0-2019-3790)

    Vulnerability from cvelistv5 – Published: 2019-06-06 19:16 – Updated: 2024-09-16 22:20
    VLAI
    Title
    Ops Manager uaa client issues tokens after refresh token expiration
    Summary
    The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources.
    CWE
    • CWE-324 - Use of a Key Past its Expiration Date
    Assigner
    References
    URL Tags
    http://www.securityfocus.com/bid/108512 vdb-entryx_refsource_BID
    https://pivotal.io/security/cve-2019-3790 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Pivotal Ops Manager Affected: 2.3 , < 2.3.16 (custom)
    Affected: 2.4 , < 2.4.11 (custom)
    Affected: 2.2 , < 2.2.23 (custom)
    Affected: 2.5 , < 2.5.3 (custom)
    Create a notification for this product.
    Date Public
    2019-05-28 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T19:19:18.470Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "108512",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/108512"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2019-3790"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pivotal Ops Manager",
              "vendor": "Pivotal",
              "versions": [
                {
                  "lessThan": "2.3.16",
                  "status": "affected",
                  "version": "2.3",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.4.11",
                  "status": "affected",
                  "version": "2.4",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.2.23",
                  "status": "affected",
                  "version": "2.2",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.5.3",
                  "status": "affected",
                  "version": "2.5",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2019-05-28T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-324",
                  "description": "CWE-324: Use of a Key Past its Expiration Date",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-06-06T19:17:33.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "name": "108512",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/108512"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2019-3790"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Ops Manager uaa client issues tokens after refresh token expiration",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "DATE_PUBLIC": "2019-05-28T13:47:10.000Z",
              "ID": "CVE-2019-3790",
              "STATE": "PUBLIC",
              "TITLE": "Ops Manager uaa client issues tokens after refresh token expiration"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pivotal Ops Manager",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.3",
                                "version_value": "2.3.16"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.4",
                                "version_value": "2.4.11"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.2",
                                "version_value": "2.2.23"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.5",
                                "version_value": "2.5.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-324: Use of a Key Past its Expiration Date"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "108512",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/108512"
                },
                {
                  "name": "https://pivotal.io/security/cve-2019-3790",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2019-3790"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2019-3790",
        "datePublished": "2019-06-06T19:16:16.854Z",
        "dateReserved": "2019-01-03T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:20:48.221Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-3776 (GCVE-0-2019-3776)

    Vulnerability from cvelistv5 – Published: 2019-03-07 19:00 – Updated: 2024-09-17 00:11
    VLAI
    Title
    Reflected XSS in Pivotal Operations Manager
    Summary
    Pivotal Operations Manager, 2.1.x versions prior to 2.1.20, 2.2.x versions prior to 2.2.16, 2.3.x versions prior to 2.3.10, 2.4.x versions prior to 2.4.3, contains a reflected cross site scripting vulnerability. A remote user that is able to convince an Operations Manager user to interact with malicious content could execute arbitrary JavaScript in the user's browser.
    CWE
    • CWE-79 - Cross-site Scripting (XSS) - Reflected
    Assigner
    References
    URL Tags
    http://www.securityfocus.com/bid/107344 vdb-entryx_refsource_BID
    https://pivotal.io/security/cve-2019-3776 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Pivotal Ops Manager Affected: 2.2 , < 2.2.16 (custom)
    Affected: 2.3 , < 2.3.10 (custom)
    Affected: 2.4 , < 2.4.3 (custom)
    Affected: 2.1 , < 2.1.19 (custom)
    Create a notification for this product.
    Date Public
    2019-02-20 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T19:19:18.239Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "107344",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/107344"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2019-3776"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pivotal Ops Manager",
              "vendor": "Pivotal",
              "versions": [
                {
                  "lessThan": "2.2.16",
                  "status": "affected",
                  "version": "2.2",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.3.10",
                  "status": "affected",
                  "version": "2.3",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.4.3",
                  "status": "affected",
                  "version": "2.4",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.1.19",
                  "status": "affected",
                  "version": "2.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2019-02-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Operations Manager, 2.1.x versions prior to 2.1.20, 2.2.x versions prior to 2.2.16, 2.3.x versions prior to 2.3.10, 2.4.x versions prior to 2.4.3, contains a reflected cross site scripting vulnerability. A remote user that is able to convince an Operations Manager user to interact with malicious content could execute arbitrary JavaScript in the user\u0027s browser."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Cross-site Scripting (XSS) - Reflected",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-03-12T09:57:01.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "name": "107344",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/107344"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2019-3776"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Reflected XSS in Pivotal Operations Manager",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "DATE_PUBLIC": "2019-02-20T00:00:00.000Z",
              "ID": "CVE-2019-3776",
              "STATE": "PUBLIC",
              "TITLE": "Reflected XSS in Pivotal Operations Manager"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pivotal Ops Manager",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.2",
                                "version_value": "2.2.16"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.3",
                                "version_value": "2.3.10"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.4",
                                "version_value": "2.4.3"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.1",
                                "version_value": "2.1.19"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Operations Manager, 2.1.x versions prior to 2.1.20, 2.2.x versions prior to 2.2.16, 2.3.x versions prior to 2.3.10, 2.4.x versions prior to 2.4.3, contains a reflected cross site scripting vulnerability. A remote user that is able to convince an Operations Manager user to interact with malicious content could execute arbitrary JavaScript in the user\u0027s browser."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:L",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79: Cross-site Scripting (XSS) - Reflected"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "107344",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/107344"
                },
                {
                  "name": "https://pivotal.io/security/cve-2019-3776",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2019-3776"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2019-3776",
        "datePublished": "2019-03-07T19:00:00.000Z",
        "dateReserved": "2019-01-03T00:00:00.000Z",
        "dateUpdated": "2024-09-17T00:11:48.970Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-15762 (GCVE-0-2018-15762)

    Vulnerability from cvelistv5 – Published: 2018-11-02 22:00 – Updated: 2024-09-16 18:54
    VLAI
    Title
    Pivotal Operations Manager gives all users heightened privileges
    Summary
    Pivotal Operations Manager, versions 2.0.x prior to 2.0.24, versions 2.1.x prior to 2.1.15, versions 2.2.x prior to 2.2.7, and versions 2.3.x prior to 2.3.1, grants all users a scope which allows for privilege escalation. A remote malicious user who has been authenticated may create a new client with administrator privileges for Opsman.
    CWE
    • Improper Authorization
    Assigner
    References
    URL Tags
    https://pivotal.io/security/cve-2018-15762 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Cloud Foundry Pivotal Operations Manager Affected: 2.0.x , < 2.0.24 (custom)
    Affected: 2.1.x , < 2.1.15 (custom)
    Affected: 2.2.x , < 2.2.7 (custom)
    Affected: 2.3.x , < 2.3.1 (custom)
    Create a notification for this product.
    Date Public
    2018-10-29 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:01:54.588Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2018-15762"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pivotal Operations Manager",
              "vendor": "Pivotal Cloud Foundry",
              "versions": [
                {
                  "lessThan": "2.0.24",
                  "status": "affected",
                  "version": "2.0.x",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.1.15",
                  "status": "affected",
                  "version": "2.1.x",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.2.7",
                  "status": "affected",
                  "version": "2.2.x",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.3.1",
                  "status": "affected",
                  "version": "2.3.x",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2018-10-29T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Operations Manager, versions 2.0.x prior to 2.0.24, versions 2.1.x prior to 2.1.15, versions 2.2.x prior to 2.2.7, and versions 2.3.x prior to 2.3.1, grants all users a scope which allows for privilege escalation. A remote malicious user who has been authenticated may create a new client with administrator privileges for Opsman."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-11-02T21:57:01.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2018-15762"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Pivotal Operations Manager gives all users heightened privileges",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "DATE_PUBLIC": "2018-10-29T07:00:00.000Z",
              "ID": "CVE-2018-15762",
              "STATE": "PUBLIC",
              "TITLE": "Pivotal Operations Manager gives all users heightened privileges"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pivotal Operations Manager",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.0.x",
                                "version_value": "2.0.24"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.1.x",
                                "version_value": "2.1.15"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.2.x",
                                "version_value": "2.2.7"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.3.x",
                                "version_value": "2.3.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal Cloud Foundry"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Operations Manager, versions 2.0.x prior to 2.0.24, versions 2.1.x prior to 2.1.15, versions 2.2.x prior to 2.2.7, and versions 2.3.x prior to 2.3.1, grants all users a scope which allows for privilege escalation. A remote malicious user who has been authenticated may create a new client with administrator privileges for Opsman."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper Authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://pivotal.io/security/cve-2018-15762",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2018-15762"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2018-15762",
        "datePublished": "2018-11-02T22:00:00.000Z",
        "dateReserved": "2018-08-23T00:00:00.000Z",
        "dateUpdated": "2024-09-16T18:54:15.856Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-11081 (GCVE-0-2018-11081)

    Vulnerability from cvelistv5 – Published: 2018-10-05 21:00 – Updated: 2024-09-17 01:26
    VLAI
    Title
    Pivotal Operations Manager UAA config - temp Ram Disk
    Summary
    Pivotal Operations Manager, versions 2.2.x prior to 2.2.1, 2.1.x prior to 2.1.11, 2.0.x prior to 2.0.16, and 1.11.x prior to 2, fails to write the Operations Manager UAA config onto the temp RAM disk, thus exposing the configs directly onto disk. A remote user that has gained access to the Operations Manager VM, can now file search and find the UAA credentials for Operations Manager on the system disk..
    CWE
    • Cleartext Storage in a File or on Disk
    Assigner
    References
    URL Tags
    https://pivotal.io/security/cve-2018-11081 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal pivotal-ops-manager Affected: 1.11.x , ≤ 2 (custom)
    Affected: 2.0.x , < 2.0.16 (custom)
    Affected: 2.1.x , < 2.1.11 (custom)
    Affected: 2.2.x , < 2.2.1 (custom)
    Create a notification for this product.
    Date Public
    2018-09-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:54:36.568Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2018-11081"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pivotal-ops-manager",
              "vendor": "Pivotal",
              "versions": [
                {
                  "lessThanOrEqual": "2",
                  "status": "affected",
                  "version": "1.11.x",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.0.16",
                  "status": "affected",
                  "version": "2.0.x",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.1.11",
                  "status": "affected",
                  "version": "2.1.x",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.2.1",
                  "status": "affected",
                  "version": "2.2.x",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2018-09-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Operations Manager, versions 2.2.x prior to 2.2.1, 2.1.x prior to 2.1.11, 2.0.x prior to 2.0.16, and 1.11.x prior to 2, fails to write the Operations Manager UAA config onto the temp RAM disk, thus exposing the configs directly onto disk. A remote user that has gained access to the Operations Manager VM, can now file search and find the UAA credentials for Operations Manager on the system disk.."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.9,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cleartext Storage in a File or on Disk",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-10-05T20:57:01.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2018-11081"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Pivotal Operations Manager UAA config - temp Ram Disk",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "DATE_PUBLIC": "2018-09-27T07:00:00.000Z",
              "ID": "CVE-2018-11081",
              "STATE": "PUBLIC",
              "TITLE": "Pivotal Operations Manager UAA config - temp Ram Disk"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "pivotal-ops-manager",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_name": "1.11.x",
                                "version_value": "2"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.0.x",
                                "version_value": "2.0.16"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.1.x",
                                "version_value": "2.1.11"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.2.x",
                                "version_value": "2.2.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Operations Manager, versions 2.2.x prior to 2.2.1, 2.1.x prior to 2.1.11, 2.0.x prior to 2.0.16, and 1.11.x prior to 2, fails to write the Operations Manager UAA config onto the temp RAM disk, thus exposing the configs directly onto disk. A remote user that has gained access to the Operations Manager VM, can now file search and find the UAA credentials for Operations Manager on the system disk.."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.9,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cleartext Storage in a File or on Disk"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://pivotal.io/security/cve-2018-11081",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2018-11081"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2018-11081",
        "datePublished": "2018-10-05T21:00:00.000Z",
        "dateReserved": "2018-05-14T00:00:00.000Z",
        "dateUpdated": "2024-09-17T01:26:01.975Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-11045 (GCVE-0-2018-11045)

    Vulnerability from cvelistv5 – Published: 2018-07-11 20:00 – Updated: 2024-09-16 22:56
    VLAI
    Summary
    Pivotal Operations Manager, versions 2.1 prior to 2.1.6 and 2.0 prior to 2.0.15 and 1.12 prior to 1.12.22, contains a static Linux Random Number Generator (LRNG) seed file embedded in the appliance image. An attacker with knowledge of the exact version and IaaS of a running OpsManager could get the contents of the corresponding seed from the published image and therefore infer the initial state of the LRNG.
    Severity
    No CVSS data available.
    CWE
    • Random number generation
    Assigner
    References
    URL Tags
    https://pivotal.io/security/cve-2018-11045 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Pivotal Operations Manager Affected: 2.1 , < 2.1.6 (custom)
    Affected: 2.0 , < 2.0.15 (custom)
    Affected: 1.12 , < 1.12.22 (custom)
    Create a notification for this product.
    Date Public
    2018-07-10 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:54:36.497Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2018-11045"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pivotal Operations Manager",
              "vendor": "Pivotal",
              "versions": [
                {
                  "lessThan": "2.1.6",
                  "status": "affected",
                  "version": "2.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.0.15",
                  "status": "affected",
                  "version": "2.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "1.12.22",
                  "status": "affected",
                  "version": "1.12",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2018-07-10T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Operations Manager, versions 2.1 prior to 2.1.6 and 2.0 prior to 2.0.15 and 1.12 prior to 1.12.22, contains a static Linux Random Number Generator (LRNG) seed file embedded in the appliance image. An attacker with knowledge of the exact version and IaaS of a running OpsManager could get the contents of the corresponding seed from the published image and therefore infer the initial state of the LRNG."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Random number generation",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-07-11T19:57:01.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2018-11045"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "DATE_PUBLIC": "2018-07-10T04:00:00.000Z",
              "ID": "CVE-2018-11045",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pivotal Operations Manager",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.1",
                                "version_value": "2.1.6"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.0",
                                "version_value": "2.0.15"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "1.12",
                                "version_value": "1.12.22"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Operations Manager, versions 2.1 prior to 2.1.6 and 2.0 prior to 2.0.15 and 1.12 prior to 1.12.22, contains a static Linux Random Number Generator (LRNG) seed file embedded in the appliance image. An attacker with knowledge of the exact version and IaaS of a running OpsManager could get the contents of the corresponding seed from the published image and therefore infer the initial state of the LRNG."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Random number generation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://pivotal.io/security/cve-2018-11045",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2018-11045"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2018-11045",
        "datePublished": "2018-07-11T20:00:00.000Z",
        "dateReserved": "2018-05-14T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:56:33.333Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-11046 (GCVE-0-2018-11046)

    Vulnerability from cvelistv5 – Published: 2018-06-25 15:00 – Updated: 2024-09-16 22:55
    VLAI
    Summary
    Pivotal Operations Manager, versions 2.1.x prior to 2.1.6 and version 2.0.14, includes NGINX packages that lacks security vulnerability patches. An attacker with access to the NGINX processes and knowledge of how to exploit the unpatched vulnerabilities may be able to impact Operations Manager
    Severity
    No CVSS data available.
    CWE
    • unpatched vulnerabilities
    Assigner
    References
    URL Tags
    http://www.securityfocus.com/bid/104545 vdb-entryx_refsource_BID
    https://pivotal.io/security/cve-2018-11046 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Operations Manager Affected: 2.0.14
    Affected: 2.1.x , < 2.1.6 (custom)
    Create a notification for this product.
    Date Public
    2018-06-20 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:54:36.558Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "104545",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/104545"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2018-11046"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Operations Manager",
              "vendor": "Pivotal",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.0.14"
                },
                {
                  "lessThan": "2.1.6",
                  "status": "affected",
                  "version": "2.1.x",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2018-06-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Operations Manager, versions 2.1.x prior to 2.1.6 and version 2.0.14, includes NGINX packages that lacks security vulnerability patches. An attacker with access to the NGINX processes and knowledge of how to exploit the unpatched vulnerabilities may be able to impact Operations Manager"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "unpatched vulnerabilities",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-06-26T09:57:02.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "name": "104545",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/104545"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2018-11046"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "DATE_PUBLIC": "2018-06-20T04:00:00.000Z",
              "ID": "CVE-2018-11046",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Operations Manager",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "2.1.x",
                                "version_value": "2.1.6"
                              },
                              {
                                "affected": "=",
                                "version_affected": "=",
                                "version_value": "2.0.14"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Operations Manager, versions 2.1.x prior to 2.1.6 and version 2.0.14, includes NGINX packages that lacks security vulnerability patches. An attacker with access to the NGINX processes and knowledge of how to exploit the unpatched vulnerabilities may be able to impact Operations Manager"
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "unpatched vulnerabilities"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "104545",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/104545"
                },
                {
                  "name": "https://pivotal.io/security/cve-2018-11046",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2018-11046"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2018-11046",
        "datePublished": "2018-06-25T15:00:00.000Z",
        "dateReserved": "2018-05-14T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:55:25.495Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2016-0897 (GCVE-0-2016-0897)

    Vulnerability from cvelistv5 – Published: 2016-09-18 01:00 – Updated: 2024-08-05 22:38
    VLAI
    Summary
    Pivotal Cloud Foundry (PCF) Ops Manager before 1.6.17 and 1.7.x before 1.7.8, when vCloud or vSphere is used, does not properly enable SSH access for operators, which has unspecified impact and remote attack vectors.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    https://pivotal.io/security/cve-2016-0897 x_refsource_CONFIRM
    Date Public
    2016-09-13 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T22:38:41.208Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2016-0897"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2016-09-13T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Cloud Foundry (PCF) Ops Manager before 1.6.17 and 1.7.x before 1.7.8, when vCloud or vSphere is used, does not properly enable SSH access for operators, which has unspecified impact and remote attack vectors."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2016-09-18T01:57:01.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2016-0897"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "ID": "CVE-2016-0897",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Cloud Foundry (PCF) Ops Manager before 1.6.17 and 1.7.x before 1.7.8, when vCloud or vSphere is used, does not properly enable SSH access for operators, which has unspecified impact and remote attack vectors."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://pivotal.io/security/cve-2016-0897",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2016-0897"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2016-0897",
        "datePublished": "2016-09-18T01:00:00.000Z",
        "dateReserved": "2015-12-17T00:00:00.000Z",
        "dateUpdated": "2024-08-05T22:38:41.208Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2016-0883 (GCVE-0-2016-0883)

    Vulnerability from cvelistv5 – Published: 2016-09-18 01:00 – Updated: 2024-08-05 22:30
    VLAI
    Summary
    Pivotal Cloud Foundry (PCF) Ops Manager before 1.5.14 and 1.6.x before 1.6.9 uses the same cookie-encryption key across different customers' installations, which allows remote attackers to bypass session authentication by leveraging knowledge of this key from another installation.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2016-09-13 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T22:30:05.133Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/pcf-ops-manager-weak-authentication-scheme"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2016-09-13T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Cloud Foundry (PCF) Ops Manager before 1.5.14 and 1.6.x before 1.6.9 uses the same cookie-encryption key across different customers\u0027 installations, which allows remote attackers to bypass session authentication by leveraging knowledge of this key from another installation."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2016-09-18T01:57:01.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/pcf-ops-manager-weak-authentication-scheme"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "ID": "CVE-2016-0883",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Cloud Foundry (PCF) Ops Manager before 1.5.14 and 1.6.x before 1.6.9 uses the same cookie-encryption key across different customers\u0027 installations, which allows remote attackers to bypass session authentication by leveraging knowledge of this key from another installation."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://pivotal.io/security/pcf-ops-manager-weak-authentication-scheme",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/pcf-ops-manager-weak-authentication-scheme"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2016-0883",
        "datePublished": "2016-09-18T01:00:00.000Z",
        "dateReserved": "2015-12-17T00:00:00.000Z",
        "dateUpdated": "2024-08-05T22:30:05.133Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }