Pivotal Software Operations Manager 1.5.13 Bypass a restriction or similar Vulnerability
12 Dec. 2016
Pivotal Cloud Foundry (PCF) Ops Manager before 1.5.14 and 1.6.x before 1.6.9 uses the same cookie-encryption key across different customers' installations, which allows remote attackers to bypass session authentication by leveraging knowledge of this key from another installation.
Pivotal Cloud Foundry Ops Manager web authentication uses a weak authentication scheme that can be compromised by a remote user. Session information, located in an encrypted cookie, is encrypted with a key shared between installations of Ops Manager.