CVE-2019-3792: Concourse 5.0.0 SQL Injection vulnerability
Severity
Medium
Vendor
Pivotal
Description
Pivotal Concourse versions prior to 5.0.0, contains an API that is vulnerable to SQL injection. An Concourse resource can craft a version identifier that can carry a SQL injection payload to the Concourse server, allowing the attacker to read privileged data.
Affected VMware Products and Versions
Severity is medium unless otherwise noted.
- Pivotal Concourse versions prior to 5.0.0
Mitigation
Users of affected versions should apply the following mitigation:
- Releases that have fixed this issue include:
- Pivotal Concourse: 5.0.1
History
2019-03-25: Initial vulnerability report published
2019-04-04: Clarified which versions are affected (only Concourse 5.0.0)