Concourse includes token in CLI authentication callback
Severity
Medium
Vendor
Pivotal Cloud Foundry
Description
Pivotal Concourse, all versions prior to 4.2.2, puts the user access token in a url during the login flow. A remote attacker who gains access to a user's browser history could obtain the access token and use it to authenticate as the user.
Affected VMware Products and Versions
Severity is medium unless otherwise noted.
- Concourse
- All versions prior to 4.2.2
Mitigation
Users of affected versions should apply the following mitigation:
- Pivotal recommends upgrading the following releases:
- Concourse
- Upgrade to 4.2.2 or greater
- Concourse
History
2019-01-08: Initial vulnerability report published.