CVE-2019-3803: Information Exposure

January 11, 2019 (updated October 9, 2019)

Pivotal Concourse puts the user access token in a url during the login flow. A remote attacker who gains access to a user’s browser history could obtain the access token and use it to authenticate as the user.

References

nvd.nist.gov/vuln/detail/CVE-2019-3803
pivotal.io/security/cve-2019-3803

Code Behaviors & Features

Detect and mitigate CVE-2019-3803 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →