CVE-2019-3801

Published: Apr 25, 2019Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the component.

Affected (4)

Products: Cloudfoundry: Cf Deployment, Credhub, Uaa Release

3 products

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Cloudfoundry Cf Deployment	Before 7.9.0
Cloudfoundry Credhub	From 1.9 to 1.9.10
Cloudfoundry Credhub	From 2.1 to 2.1.3
Cloudfoundry Uaa Release	Before 64.0

Related CWEs

Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Download of Code Without Integrity Check

The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

References (4)

http://www.securityfocus.com/bid/108104

Source: security_alert@emc.com

Third Party AdvisoryVDB Entry

https://www.cloudfoundry.org/blog/cve-2019-3801

Source: security_alert@emc.com

Vendor Advisory

http://www.securityfocus.com/bid/108104

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://www.cloudfoundry.org/blog/cve-2019-3801

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.