Pivotal + VMware: Transforming how more of the world builds software

All Vulnerability Reports

Concourse includes token in CLI authentication callback


Severity

Medium

Vendor

Pivotal Cloud Foundry

Description

Pivotal Concourse, all versions prior to 4.2.2, puts the user access token in a url during the login flow. A remote attacker who gains access to a user's browser history could obtain the access token and use it to authenticate as the user.

Affected Pivotal Products and Versions

Severity is medium unless otherwise noted.

  • Concourse
    • All versions prior to 4.2.2
Mitigation

Users of affected versions should apply the following mitigation:

  • Pivotal recommends upgrading the following releases:
    • Concourse
      • Upgrade to 4.2.2 or greater
History

2019-01-08: Initial vulnerability report published.

Contact us