All Vulnerability Reports

CVE-2019-3792: Concourse 5.0.0 SQL Injection vulnerability


Severity

Medium

Vendor

Pivotal

Description

Pivotal Concourse versions prior to 5.0.0, contains an API that is vulnerable to SQL injection. An Concourse resource can craft a version identifier that can carry a SQL injection payload to the Concourse server, allowing the attacker to read privileged data.

Affected VMware Products and Versions

Severity is medium unless otherwise noted.

  • Pivotal Concourse versions prior to 5.0.0

Mitigation

Users of affected versions should apply the following mitigation:

  • Releases that have fixed this issue include:
    • Pivotal Concourse: 5.0.1

History

2019-03-25: Initial vulnerability report published

2019-04-04: Clarified which versions are affected (only Concourse 5.0.0)