CVE-2019-3803 Information

Description

Pivotal Concourse all versions prior to 4.2.2 puts the user access token in a url during the login flow. A remote attacker who gains access to a user’s browser history could obtain the access token and use it to authenticate as the user.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

https://pivotal.io/security/cve-2019-3803 Pivotal Concourse all versions prior to 4.2.2 puts the user access token in a url during the login flow. A remote attacker who gains access to a user’s browser history could obtain the access token and use it to authenticate as the user.

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

7.5