Cloud FoundryCFOUNDRY:6D0FE27767FA08BC6718743E9AB9EC99USN-3012-1 Wget vulnerability | Cloud Foundry
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.957 High
EPSS
Percentile
99.4%
USN-3012-1 Wget vulnerability
Medium
Vendor
Canonical Ubuntu, wget
Versions Affected
Canonical Ubuntu 14.04 LTS
Description
Dawid Golunski discovered that Wget incorrectly handled filenames when being redirected from an HTTP to an FTP URL. A malicious server could possibly use this issue to overwrite local files.
Affected Products and Versions
_Severity is medium unless otherwise noted.
_
- Cloud Foundry cflinuxfs2 versions prior to 1.67.0
- Cloud Foundry BOSH stemcells 3146.x versions prior to 3146.17 AND other versions prior to 3232.12 are vulnerable
Mitigation
Users of affected versions should apply the following mitigation:
- Upgrade to Cloud Foundry cflinuxfs2 versions 1.67.0 or later
- The Cloud Foundry team has released patched BOSH stemcells 3146.17 and 3232.12 with an upgraded Linux kernel that resolves the aforementioned issues. We recommend that Operators upgrade BOSH stemcell 3146.x versions to 3146.17 OR other versions to 3232.12
Credit
Dawid Golunski
References
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.957 High
EPSS
Percentile
99.4%