CVE-2019-3786

2019-04-2416:29:01

Google

osv.dev

6.5 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

38.6%

JSON

Cloud Foundry BOSH Backup and Restore CLI, all versions prior to 1.5.0, does not check the authenticity of backup scripts in BOSH. A remote authenticated malicious user can modify the metadata file of a Bosh Backup and Restore job to request extra backup files from different jobs upon restore. The exploited hooks in this metadata script were only maintained in the cfcr-etcd-release, so clusters deployed with the BBR job for etcd in this release are vulnerable.

CPENameOperatorVersion
bosh-backup-and-restoreeq0.1.0-rc.225
bosh-backup-and-restoreeq0.1.0-rc.248
bosh-backup-and-restoreeq1.3.1
bosh-backup-and-restoreeq1.1.4
bosh-backup-and-restoreeq1.1.2
bosh-backup-and-restoreeq0.1.0-rc.237
bosh-backup-and-restoreeq1.2.8
bosh-backup-and-restoreeq0.1.0-rc.232
bosh-backup-and-restoreeq0.1.0-rc.245
bosh-backup-and-restoreeq0.1.0-rc.251

Name	Operator	Version
bosh-backup-and-restore	eq	0.1.0-rc.225
bosh-backup-and-restore	eq	0.1.0-rc.248
bosh-backup-and-restore	eq	1.3.1
bosh-backup-and-restore	eq	1.1.4
bosh-backup-and-restore	eq	1.1.2
bosh-backup-and-restore	eq	0.1.0-rc.237
bosh-backup-and-restore	eq	1.2.8
bosh-backup-and-restore	eq	0.1.0-rc.232
bosh-backup-and-restore	eq	0.1.0-rc.245
bosh-backup-and-restore	eq	0.1.0-rc.251