Concourse includes token in CLI authentication callback
Pivotal Cloud Foundry
Pivotal Concourse, all versions prior to 4.2.2, puts the user access token in a url during the login flow. A remote attacker who gains access to a user's browser history could obtain the access token and use it to authenticate as the user.
Affected VMware Products and Versions
Severity is medium unless otherwise noted.
- All versions prior to 4.2.2
Users of affected versions should apply the following mitigation:
- Pivotal recommends upgrading the following releases:
- Upgrade to 4.2.2 or greater
2019-01-08: Initial vulnerability report published.