PT-2019-16722 · Pivotal · Pivotal Concourse

Published

2019-04-01

Updated

2022-02-15

CVE-2019-3792

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Pivotal Concourse version 5.0.0

Description The issue concerns an API in Pivotal Concourse that is susceptible to SQL injection attacks. Specifically, an attacker can craft a version identifier with a SQL injection payload, which can be sent to the Concourse server. This allows the attacker to access privileged data.

Recommendations For Pivotal Concourse version 5.0.0, consider disabling access to the vulnerable API endpoint until a patch is available. Restrict the ability of Concourse resources to craft version identifiers that could contain malicious SQL injection payloads to minimize the risk of exploitation.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2019-3792

GHSA-4FQX-74RV-638W

Affected Products

Pivotal Concourse

PT-2019-16722 · Pivotal · Pivotal Concourse

CVE-2019-3792

Weakness Enumeration

Related Identifiers

Affected Products

References · 7