CVE-2019-3790

MEDIUM Year: 2019
CVSS v3 Score
5.4
Medium
CVSS v2 Score
5.5
Medium
Weakness Type
CWE-324
View all →

Vulnerability Description

The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources.

Related Vulnerabilities

CVE-2024-38277

MEDIUM
CVSS:5.4(Medium)

A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the two.

CWE-3242024

CVE-2024-7318

MEDIUM
CVSS:4.8(Medium)

A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30...

CWE-3242024

CVE-2024-31895

MEDIUM
CVSS:6.5(Medium)

IBM App Connect Enterprise 12.0.1.0 through 12.0.12.1 could allow an authenticated user to obtain sensitive user information using an expired access token. IBM X-Force ID: 288176.

CWE-3242024

CVE-2024-31893

MEDIUM
CVSS:4.3(Medium)

IBM App Connect Enterprise 12.0.1.0 through 12.0.12.1 could allow an authenticated user to obtain sensitive calendar information using an expired access token. IBM X-Force ID: 288174.

CWE-3242024

CVE-2024-31894

MEDIUM
CVSS:4.3(Medium)

IBM App Connect Enterprise 12.0.1.0 through 12.0.12.1 could allow an authenticated user to obtain sensitive user information using an expired access token. IBM X-Force ID: 288175.

CWE-3242024

CVE-2022-2447

MEDIUM
CVSS:6.6(Medium)

A flaw was found in Keystone. There is a time lag (up to one hour in a default configuration) between when security policy says a token should be revoked from when it is actually revoked. This could a...

CWE-3242022