All Vulnerability Reports

Concourse includes token in CLI authentication callback


Severity

Medium

Vendor

Pivotal Cloud Foundry

Description

Pivotal Concourse, all versions prior to 4.2.2, puts the user access token in a url during the login flow. A remote attacker who gains access to a user's browser history could obtain the access token and use it to authenticate as the user.

Affected Pivotal Products and Versions

Severity is medium unless otherwise noted.

  • Concourse
    • All versions prior to 4.2.2
Mitigation

Users of affected versions should apply the following mitigation:

  • Pivotal recommends upgrading the following releases:
    • Concourse
      • Upgrade to 4.2.2 or greater
History

2019-01-08: Initial vulnerability report published.

Questions?