CVE-2019-3777

Name of the Vulnerable Software and Affected Versions Pivotal Application Service (PAS) versions 2.2.x through 2.2.11 Pivotal Application Service (PAS) versions 2.3.x through 2.3.6 Pivotal Application Service (PAS) versions 2.4.x through 2.4.2

Description The issue concerns a failure to verify SSL certificates by the cloud controller proxy in the apps manager. This could allow a remote unauthenticated attacker, who has hijacked the Cloud Controller's DNS record, to intercept access tokens sent to the Cloud Controller. As a result, the attacker could gain access to the user's resources in the Cloud Controller.

Recommendations For Pivotal Application Service (PAS) versions 2.2.x through 2.2.11, update to version 2.2.12 or later. For Pivotal Application Service (PAS) versions 2.3.x through 2.3.6, update to version 2.3.7 or later. For Pivotal Application Service (PAS) versions 2.4.x through 2.4.2, update to version 2.4.3 or later.