A vulnerability has been found in Pivotal Concourse up to 5.0.0 and classified as critical. Affected by this vulnerability is some unknown processing of the component API. The manipulation with an unknown input leads to a sql injection vulnerability. The CWE definition for the vulnerability is CWE-89. The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

Pivotal Concourse versions prior to 5.0.1, contains an API that is vulnerable to SQL injection. An Concourse resource can craft a version identifier that can carry a SQL injection payload to the Concourse server, allowing the attacker to read privileged data.

The bug was discovered 04/04/2019. The weakness was released 04/01/2019 (Website). It is possible to read the advisory at pivotal.io. This vulnerability is known as CVE-2019-3792 since 01/03/2019. The attack can be launched remotely. The exploitation doesn't need any form of authentication. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1505 according to MITRE ATT&CK.

The commercial vulnerability scanner Qualys is able to test this issue with plugin 371723 (Pivotal Concourse SQL Injection Vulnerability).

Upgrading to version 5.0.1 eliminates this vulnerability.

Productinfo

Vendor

• Pivotal

Name

• Concourse

Version

• 5.0

License

• commercial

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion