CVE-2018-1227

Pivotal Concourse after 2018-03-05 might allow remote attackers to have an unspecified impact, if a customer obtained the Concourse software from a DNS domain that is no longer controlled by Pivotal. The original domain for the Concourse CI (concourse-dot-ci) open source project has been registered by an unknown actor, and is therefore no longer the official website for Concourse CI. The new official domain is concourse-ci.org. At approximately 4 am EDT on March 7, 2018 the Concourse OSS team began receiving reports that the Concourse domain was not responding. The Concourse OSS team discovered, upon investigation with both the original and the new domain registrars, that the originating domain registrar had made the domain available for purchase. This was done despite the domain being renewed by the Concourse OSS team through August 2018. For a customer to be affected, they would have needed to access a download from a "concourse-dot-ci" domain web site after March 6, 2018 18:00:00 EST. Accessing that domain is NOT recommended by Pivotal. Anyone who had been using that domain should immediately begin using the concourse-ci.org domain instead. Customers can also safely access Concourse software from the traditionally available locations on the Pivotal Network or GitHub.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://pivotal.io/security/cve-2018-1227	Vendor Advisory
https://pivotal.io/security/cve-2018-1227	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:pivotal_software:concourse:*:*:*:*:*:*:*:*

History

21 Nov 2024, 03:59

Type	Values Removed	Values Added
References	~~() https://pivotal.io/security/cve-2018-1227 - Vendor Advisory~~	() https://pivotal.io/security/cve-2018-1227 - Vendor Advisory

Information

Published : 2018-03-13 20:29

Updated : 2024-11-21 03:59

NVD link : CVE-2018-1227

Mitre link : CVE-2018-1227

CVE.ORG link : CVE-2018-1227

JSON object : View

Products Affected

pivotal_software

concourse

CWE

NVD-CWE-noinfo

{"id": "CVE-2018-1227", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2018-03-13T20:29:00.253", "references": [{"url": "https://pivotal.io/security/cve-2018-1227", "tags": ["Vendor Advisory"], "source": "security_alert@emc.com"}, {"url": "https://pivotal.io/security/cve-2018-1227", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Pivotal Concourse after 2018-03-05 might allow remote attackers to have an unspecified impact, if a customer obtained the Concourse software from a DNS domain that is no longer controlled by Pivotal. The original domain for the Concourse CI (concourse-dot-ci) open source project has been registered by an unknown actor, and is therefore no longer the official website for Concourse CI. The new official domain is concourse-ci.org. At approximately 4 am EDT on March 7, 2018 the Concourse OSS team began receiving reports that the Concourse domain was not responding. The Concourse OSS team discovered, upon investigation with both the original and the new domain registrars, that the originating domain registrar had made the domain available for purchase. This was done despite the domain being renewed by the Concourse OSS team through August 2018. For a customer to be affected, they would have needed to access a download from a \"concourse-dot-ci\" domain web site after March 6, 2018 18:00:00 EST. Accessing that domain is NOT recommended by Pivotal. Anyone who had been using that domain should immediately begin using the concourse-ci.org domain instead. Customers can also safely access Concourse software from the traditionally available locations on the Pivotal Network or GitHub."}, {"lang": "es", "value": "Pivotal Concourse, tras 2018-03-05, podr\u00eda permitir que atacantes remotos provoquen un impacto sin especificar si un cliente obtuviese el software Concourse de un dominio DNS que ya no est\u00e9 controlado por Pivotal. El dominio original para el proyecto Concourse CI (concourse-dot-ci) ha sido registrado por un actor desconocido y ya no es el sitio oficial de Concourse CI. El nuevo dominio oficial es concourse-ci.org. A las 4 am EDT aproximadamente el 7 de marzo de 2018, el equipo Concourse OSS comenz\u00f3 a recibir informes indicando que el dominio Concourse no respond\u00eda. El equipo de Concourse OSS descubri\u00f3, tras investigar tanto el registrador original como el del nuevo dominio, que el registrador de dominio original hab\u00eda puesto ese dominio en venta. Esto se realiz\u00f3 a pesar de que el dominio hab\u00eda sido renovado por el equipo de Concourse OSS en agosto de 2018. Para que un consumidor se vea afectado, hubiesen tenido que acceder a una descarga de un sitio web de dominio \"concourse-dot-ci\" a partir del 6 de marzo de 2018 a las 18:00:00 EST. Pivotal NO recomienda acceder a ese dominio. Cualquiera que haya estado empleado ese dominio deber\u00eda comenzar a utilizar inmediatamente el dominio concourse-ci.org. Los consumidores tambi\u00e9n puede acceder de forma segura al software de Concourse a trav\u00e9s de las ubicaciones tradicionales en la red Pivotal o en GitHub."}], "lastModified": "2024-11-21T03:59:25.443", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pivotal_software:concourse:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "584A6CA2-6169-4603-BD2C-142A025E72A2", "versionStartIncluding": "3.9.2"}], "operator": "OR"}]}], "sourceIdentifier": "security_alert@emc.com"}

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2018-1227

7.5^/10

5.0^/10

Attach tags to `CVE-2018-1227`