CVE-2019-3792

Name of the Vulnerable Software and Affected Versions Pivotal Concourse version 5.0.0

Description The issue concerns an API in Pivotal Concourse that is susceptible to SQL injection attacks. Specifically, an attacker can craft a version identifier with a SQL injection payload, which can be sent to the Concourse server. This allows the attacker to access privileged data.

Recommendations For Pivotal Concourse version 5.0.0, consider disabling access to the vulnerable API endpoint until a patch is available. Restrict the ability of Concourse resources to craft version identifiers that could contain malicious SQL injection payloads to minimize the risk of exploitation.