CVE-2019-3792

HIGH7.5EPSS 0.32%

Pivotal Concourse SQL Injection Vulnerability

Published: 2/15/2022Modified: 11/8/2023

Description

Pivotal Concourse version 5.0.0, contains an API that is vulnerable to SQL injection. An Concourse resource can craft a version identifier that can carry a SQL injection payload to the Concourse server, allowing the attacker to read privileged data.

Affected packages (1)

Go/github.com/concourse/concoursefrom 0, < 5.0.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-3792
WEBhttps://github.com/concourse/concourse/blob/master/release-notes/v5.0.1.md#v501-note-1
WEBhttps://github.com/concourse/concourse/commit/dc3d15ab6c3a69890c9985f9c875d4c2949be727
WEBhttps://pivotal.io/security/cve-2019-3792