CVE-2019-3801
8.7
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Summary
Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the component.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Cloud Foundry | CredHub | 2.1 < 2.1.3 | affected |
| Cloud Foundry | CredHub | 1.9 < 1.9.10 | affected |
| Cloud Foundry | UAA Release (OSS) | All < v64.0 | affected |
| Cloud Foundry | cf-deployment | All < v7.9.0 | affected |
| Pivotal | UAA Release (LTS) | v60 < v60.2 | affected |
| Pivotal | UAA Release (LTS) | v64 < v64.1 | affected |
Weaknesses
- CWE-494: CWE-494: Download of Code Without Integrity Check
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.