Vulnerabilities > Pivotal Software

2021-02-23 CVE-2021-22112 Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in).
low complexity
pivotal-software vmware oracle
2020-08-31 CVE-2020-5419 Uncontrolled Search Path Element vulnerability in multiple products
RabbitMQ versions 3.8.x prior to 3.8.7 are prone to a Windows-specific binary planting security vulnerability that allows for arbitrary code execution.
low complexity
pivotal-software vmware CWE-427
2020-08-12 CVE-2020-5415 Authentication Bypass by Spoofing vulnerability in Pivotal Software Concourse
Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team.
low complexity
pivotal-software CWE-290
2020-06-11 CVE-2020-5411 Deserialization of Untrusted Data vulnerability in Pivotal Software Spring Batch
When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution.
2020-05-14 CVE-2020-5408 Use of Insufficiently Random Values vulnerability in multiple products
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor.
low complexity
vmware pivotal-software CWE-330
2020-05-14 CVE-2020-5409 Open Redirect vulnerability in Pivotal Software Concourse
Pivotal Concourse, most versions prior to 6.0.0, allows redirects to untrusted websites in its login flow.
2020-05-13 CVE-2020-5407 Improper Verification of Cryptographic Signature vulnerability in Pivotal Software Spring Security
Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation.
low complexity
pivotal-software CWE-347
2020-02-12 CVE-2020-5399 Cleartext Transmission of Sensitive Information vulnerability in multiple products
Cloud Foundry CredHub, versions prior to 2.5.10, connects to a MySQL database without TLS even when configured to use TLS.
2020-01-10 CVE-2013-6430 Cross-site Scripting vulnerability in Pivotal Software Spring Framework
The JavaScriptUtils.javaScriptEscape method in web/util/ in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket.
2020-01-09 CVE-2019-11292 Information Exposure vulnerability in Pivotal Software Operations Manager
Pivotal Ops Manager, versions 2.4.x prior to 2.4.27, 2.5.x prior to 2.5.24, 2.6.x prior to 2.6.16, and 2.7.x prior to 2.7.5, logs all query parameters to tomcat’s access file.
low complexity
pivotal-software CWE-200