Description
Pivotal Application Service (PAS), versions 2.2.x prior to 2.2.12, 2.3.x prior to 2.3.7 and 2.4.x prior to 2.4.3, contain apps manager that uses a cloud controller proxy that fails to verify SSL certs. A remote unauthenticated attacker that could hijack the Cloud Controller's DNS record could intercept access tokens sent to the Cloud Controller, giving the attacker access to the user's resources in the Cloud Controller
CVSS breakdown
CVSS 3.0
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None
Affected products
- Pivotal / Apps Manager666 – 666.0.19
- Pivotal / Apps Manager665 – 665.0.26
- Pivotal / Apps Manager667 – 667.0.5
- Pivotal / Pivotal Application Service2.4 – 2.4.3
- Pivotal / Pivotal Application Service2.3 – 2.3.7
- Pivotal / Pivotal Application Service2.2 – 2.2.12