CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2019-11292 – Pivotal Ops Manager logs query parameters in tomcat access file
https://notcve.org/view.php?id=CVE-2019-11292
08 Jan 2020 — Pivotal Ops Manager, versions 2.4.x prior to 2.4.27, 2.5.x prior to 2.5.24, 2.6.x prior to 2.6.16, and 2.7.x prior to 2.7.5, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well. Pivotal Ops Manager, versiones 2.4.x anteriores a la versión 2.4.27, 2.5.x anteriores a la versión 2.5.24, 2.6.x anteriores a la versión 2.6.16 y 2.7.x anteriores a la versión 2.7.5, registra todos los parámetros de consulta ... • https://pivotal.io/security/cve-2019-11292 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2019-11270 – UAA clients.write vulnerability
https://notcve.org/view.php?id=CVE-2019-11270
05 Aug 2019 — Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' and create clients with arbitrary scopes that the creator does not possess. Cloud Foundry UAA versiones anteriores a v73.4.0, contienen una vulnerabilidad en la que un cliente malicioso bajo posesión de la autoridad o el alcance "clients.write" puede omitir las restricciones impuestas a los cl... • https://pivotal.io/security/cve-2019-11270 • CWE-269: Improper Privilege Management CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2019-3790 – Ops Manager uaa client issues tokens after refresh token expiration
https://notcve.org/view.php?id=CVE-2019-3790
06 Jun 2019 — The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources. El Pivotal Ops Manager, versiones 2.2.x anteriores a 2.2.23, 2.3.x versiones anteriores a 2.3.16, 2.4.x versiones anteriores a 2.4.11, y 2.5.x versiones ante... • http://www.securityfocus.com/bid/108512 • CWE-324: Use of a Key Past its Expiration Date CWE-613: Insufficient Session Expiration •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2019-3776 – Reflected XSS in Pivotal Operations Manager
https://notcve.org/view.php?id=CVE-2019-3776
07 Mar 2019 — Pivotal Operations Manager, 2.1.x versions prior to 2.1.20, 2.2.x versions prior to 2.2.16, 2.3.x versions prior to 2.3.10, 2.4.x versions prior to 2.4.3, contains a reflected cross site scripting vulnerability. A remote user that is able to convince an Operations Manager user to interact with malicious content could execute arbitrary JavaScript in the user's browser. Pivotal Operations Manager, en las versiones 2.1.x anteriores a la 2.1.20, en las 2.2.x anteriores a la 2.2.16, en las 2.3.x anteriores a la ... • http://www.securityfocus.com/bid/107344 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2018-15762 – Pivotal Operations Manager gives all users heightened privileges
https://notcve.org/view.php?id=CVE-2018-15762
02 Nov 2018 — Pivotal Operations Manager, versions 2.0.x prior to 2.0.24, versions 2.1.x prior to 2.1.15, versions 2.2.x prior to 2.2.7, and versions 2.3.x prior to 2.3.1, grants all users a scope which allows for privilege escalation. A remote malicious user who has been authenticated may create a new client with administrator privileges for Opsman. Pivotal Operations Manager, en versiones 2.0.x anteriores a la 2.0.24, versiones 2.1.x anteriores a la 2.1.15, versiones 2.2.x anteriores a la 2.2.7 y versiones 2.3.x anteri... • https://pivotal.io/security/cve-2018-15762 • CWE-269: Improper Privilege Management •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2018-11081 – Pivotal Operations Manager UAA config - temp Ram Disk
https://notcve.org/view.php?id=CVE-2018-11081
05 Oct 2018 — Pivotal Operations Manager, versions 2.2.x prior to 2.2.1, 2.1.x prior to 2.1.11, 2.0.x prior to 2.0.16, and 1.11.x prior to 2, fails to write the Operations Manager UAA config onto the temp RAM disk, thus exposing the configs directly onto disk. A remote user that has gained access to the Operations Manager VM, can now file search and find the UAA credentials for Operations Manager on the system disk.. Pivotal Operations Manager, en versiones 2.2.x anteriores a la 2.2.1, 2.1.x anteriores a la 2.1.11, 2.0.x... • https://pivotal.io/security/cve-2018-11081 •
CVSS: 5.9EPSS: 0%CPEs: 3EXPL: 0CVE-2018-11045
https://notcve.org/view.php?id=CVE-2018-11045
11 Jul 2018 — Pivotal Operations Manager, versions 2.1 prior to 2.1.6 and 2.0 prior to 2.0.15 and 1.12 prior to 1.12.22, contains a static Linux Random Number Generator (LRNG) seed file embedded in the appliance image. An attacker with knowledge of the exact version and IaaS of a running OpsManager could get the contents of the corresponding seed from the published image and therefore infer the initial state of the LRNG. Pivotal Operations Manager, en versiones 2.1 anteriores a la 2.1.6 y 2.0 anteriores a la 2.0.15 y 1.1... • https://pivotal.io/security/cve-2018-11045 • CWE-330: Use of Insufficiently Random Values •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-11046
https://notcve.org/view.php?id=CVE-2018-11046
25 Jun 2018 — Pivotal Operations Manager, versions 2.1.x prior to 2.1.6 and version 2.0.14, includes NGINX packages that lacks security vulnerability patches. An attacker with access to the NGINX processes and knowledge of how to exploit the unpatched vulnerabilities may be able to impact Operations Manager Pivotal Operations Manager, en versiones 2.1.x anteriores a la 2.1.6 y en la versión 2.0.14, incluye paquetes NGINX que carecen de parches de vulnerabilidades de seguridad. Un atacante que tenga acceso a los procesos ... • http://www.securityfocus.com/bid/104545 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 10EXPL: 0CVE-2016-0883
https://notcve.org/view.php?id=CVE-2016-0883
18 Sep 2016 — Pivotal Cloud Foundry (PCF) Ops Manager before 1.5.14 and 1.6.x before 1.6.9 uses the same cookie-encryption key across different customers' installations, which allows remote attackers to bypass session authentication by leveraging knowledge of this key from another installation. Pivotal Cloud Foundry (PCF) Ops Manager en versiones anteriores a 1.5.14 y 1.6.x en versiones anteriores a 1.6.9 usa la misma clave de cifrado de cookies a través instalaciones de clientes diferentes, lo que permite a atacantes re... • https://pivotal.io/security/pcf-ops-manager-weak-authentication-scheme • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 0%CPEs: 9EXPL: 0CVE-2016-0897
https://notcve.org/view.php?id=CVE-2016-0897
18 Sep 2016 — Pivotal Cloud Foundry (PCF) Ops Manager before 1.6.17 and 1.7.x before 1.7.8, when vCloud or vSphere is used, does not properly enable SSH access for operators, which has unspecified impact and remote attack vectors. Pivotal Cloud Foundry (PCF) Ops Manager en versiones anteriores a 1.6.17 y 1.7.x en versiones anteriores a 1.7.8, cuando se usa vCloud o vSphere, no activa adecuadamente acceso SSH para operadores, lo que tiene un impacto no especifico y vectores de ataque remotos. • https://pivotal.io/security/cve-2016-0897 • CWE-310: Cryptographic Issues •