Lucene search
Cloud FoundryCFOUNDRY:2496A20204B0490362B0622E8FC4111EHistoryApr 25, 2019 - 12:00 a.m.
CVE-2019-3801: Java Projects using HTTP to fetch dependencies | Cloud Foundry
2019-04-2500:00:00
Cloud Foundry
www.cloudfoundry.org
36
0.002 Low
EPSS
Percentile
62.1%
Severity
High
Vendor
Cloud Foundry Foundation
Affected Cloud Foundry Products and Versions
- CredHub
- 2.1 versions prior to 2.1.3
- 1.9 versions prior to 1.9.10
- cf-deployment
- All versions prior to v7.9.0
- UAA Release (OSS)
- All versions prior to v64.0
Description
Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the component.
Mitigation
Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:
- CredHub
- Upgrade 2.1 versions to 2.1.3 or greater
- Upgrade 1.9 versions to 1.9.10 or greater
- cf-deployment
- Upgrade All versions to v7.9.0 or greater
- UAA Release (OSS)
- Upgrade All versions to v64.0 or greater
History
2019-04-25: Initial vulnerability report published.
Related
osv
osv
CVE-2019-3801
2019-04-25 21:29:00
prion
prion
Code injection
2019-04-25 21:29:00
cve
cve
CVE-2019-3801
2019-04-25 21:29:00
cvelist
cvelist
CVE-2019-3801 Java Projects using HTTP to fetch dependencies
2019-04-25 00:00:00
veracode
veracode
Man-in-the-Middle (MitM)
2019-04-26 06:44:02
nvd
nvd
CVE-2019-3801
2019-04-25 21:29:00