Vulnerabilities > Pivotal Software
|2020-09-19||CVE-2020-5421|| Unspecified vulnerability in Pivotal Software Spring Framework |
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
| 3.6 |
|2020-08-31||CVE-2020-5419|| Uncontrolled Search Path Element vulnerability in Pivotal Software Rabbitmq |
RabbitMQ versions 3.8.x prior to 3.8.7 are prone to a Windows-specific binary planting security vulnerability that allows for arbitrary code execution.
| 4.6 |
|2020-08-12||CVE-2020-5415|| Authentication Bypass BY Spoofing vulnerability in Pivotal Software Concourse |
Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team.
| 6.4 |
|2020-06-11||CVE-2020-5411|| Deserialization of Untrusted Data vulnerability in Pivotal Software Spring Batch |
When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution.
| 6.8 |
|2020-05-14||CVE-2020-5408|| USE of Insufficiently Random Values vulnerability in Pivotal Software Spring Security |
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor.
| 4.0 |
|2020-05-14||CVE-2020-5409|| Open Redirect vulnerability in Pivotal Software Concourse |
Pivotal Concourse, most versions prior to 6.0.0, allows redirects to untrusted websites in its login flow.
| 5.8 |
|2020-05-13||CVE-2020-5407|| Improper Verification of Cryptographic Signature vulnerability in Pivotal Software Spring Security |
Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation.
| 6.5 |
|2020-02-12||CVE-2020-5399|| Cleartext Transmission of Sensitive Information vulnerability in multiple products |
Cloud Foundry CredHub, versions prior to 2.5.10, connects to a MySQL database without TLS even when configured to use TLS.
| 5.8 |
|2020-01-17||CVE-2020-5397|| Cross-Site Request Forgery (CSRF) vulnerability in Pivotal Software Spring Framework 5.2.0/5.2.1/5.2.2 |
Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints.
| 2.6 |
|2020-01-17||CVE-2020-5398|| Download of Code Without Integrity Check vulnerability in Pivotal Software Spring Framework |
In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.
| 7.6 |