Описание
Pivotal Concourse, all versions prior to 4.2.2, puts the user access token in a url during the login flow. A remote attacker who gains access to a user's browser history could obtain the access token and use it to authenticate as the user.
Ссылки
- Vendor Advisory
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 4.2.2 (исключая)
cpe:2.3:a:pivotal_software:concourse:*:*:*:*:*:*:*:*
EPSS
Процентиль: 39%
0.00173
Низкий
4.5 Medium
CVSS3
7.5 High
CVSS3
5 Medium
CVSS2
Дефекты
CWE-200
CWE-200
Связанные уязвимости
CVSS3: 7.5
github
больше 3 лет назад
Pivotal Concourse, all versions prior to 4.2.2, puts the user access token in a url during the login flow. A remote attacker who gains access to a user's browser history could obtain the access token and use it to authenticate as the user.
EPSS
Процентиль: 39%
0.00173
Низкий
4.5 Medium
CVSS3
7.5 High
CVSS3
5 Medium
CVSS2
Дефекты
CWE-200
CWE-200