CVE-2019-3801

Summary

Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the component.

Affected Software

VendorProductVersion RangeStatus
Cloud FoundryCredHub2.1 < 2.1.3affected
Cloud FoundryCredHub1.9 < 1.9.10affected
Cloud FoundryUAA Release (OSS)All < v64.0affected
Cloud Foundrycf-deploymentAll < v7.9.0affected
PivotalUAA Release (LTS)v60 < v60.2affected
PivotalUAA Release (LTS)v64 < v64.1affected

Weaknesses

  • CWE-494: CWE-494: Download of Code Without Integrity Check

ADP Enrichment

CVE Program Container

Additional References

References