CVE-2019-3801 - OpenCVE

Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the component.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Cloudfoundry	Cf-deployment Credhub Uaa Release

Configuration 1 [-]

OR	cpe:2.3:a:cloudfoundry:cf-deployment::::::::
	cpe:2.3:a:cloudfoundry:credhub::::::::
	cpe:2.3:a:cloudfoundry:credhub::::::::
	cpe:2.3:a:cloudfoundry:uaa_release::::::::

No data.

References

Link	Providers
http://www.securityfocus.com/bid/108104
https://www.cloudfoundry.org/blog/cve-2019-3801

History

No history.

MITRE

Status: PUBLISHED

Assigner: dell

Published: 2019-04-25T20:17:37.272844Z

Updated: 2024-09-17T02:56:41.904Z

Reserved: 2019-01-03T00:00:00

Link: CVE-2019-3801

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-04-25T21:29:00.823

Modified: 2021-10-29T19:45:32.623

Link: CVE-2019-3801

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "CredHub", "vendor": "Cloud Foundry", "versions": [{"lessThan": "2.1.3", "status": "affected", "version": "2.1", "versionType": "custom"}, {"lessThan": "1.9.10", "status": "affected", "version": "1.9", "versionType": "custom"}]}, {"product": "UAA Release (OSS)", "vendor": "Cloud Foundry", "versions": [{"lessThan": "v64.0", "status": "affected", "version": "All", "versionType": "custom"}]}, {"product": "cf-deployment", "vendor": "Cloud Foundry", "versions": [{"lessThan": "v7.9.0", "status": "affected", "version": "All", "versionType": "custom"}]}, {"product": "UAA Release (LTS)", "vendor": "Pivotal", "versions": [{"lessThan": "v60.2", "status": "affected", "version": "v60", "versionType": "custom"}, {"lessThan": "v64.1", "status": "affected", "version": "v64", "versionType": "custom"}]}], "datePublic": "2019-04-25T00:00:00", "descriptions": [{"lang": "en", "value": "Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the component."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-494", "description": "CWE-494: Download of Code Without Integrity Check", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-04-30T13:06:03", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.cloudfoundry.org/blog/cve-2019-3801"}, {"name": "108104", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/108104"}], "source": {"discovery": "UNKNOWN"}, "title": "Java Projects using HTTP to fetch dependencies", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security_alert@emc.com", "DATE_PUBLIC": "2019-04-25T00:00:00.000Z", "ID": "CVE-2019-3801", "STATE": "PUBLIC", "TITLE": "Java Projects using HTTP to fetch dependencies"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "CredHub", "version": {"version_data": [{"affected": "<", "version_affected": "<", "version_name": "2.1", "version_value": "2.1.3"}, {"affected": "<", "version_affected": "<", "version_name": "1.9", "version_value": "1.9.10"}]}}, {"product_name": "UAA Release (OSS)", "version": {"version_data": [{"affected": "<", "version_affected": "<", "version_name": "All", "version_value": "v64.0"}]}}, {"product_name": "cf-deployment", "version": {"version_data": [{"affected": "<", "version_affected": "<", "version_name": "All", "version_value": "v7.9.0"}]}}]}, "vendor_name": "Cloud Foundry"}, {"product": {"product_data": [{"product_name": "UAA Release (LTS)", "version": {"version_data": [{"affected": "<", "version_affected": "<", "version_name": "v60", "version_value": "v60.2"}, {"affected": "<", "version_affected": "<", "version_name": "v64", "version_value": "v64.1"}]}}]}, "vendor_name": "Pivotal"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the component."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-494: Download of Code Without Integrity Check"}]}]}, "references": {"reference_data": [{"name": "https://www.cloudfoundry.org/blog/cve-2019-3801", "refsource": "CONFIRM", "url": "https://www.cloudfoundry.org/blog/cve-2019-3801"}, {"name": "108104", "refsource": "BID", "url": "http://www.securityfocus.com/bid/108104"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T19:19:18.469Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.cloudfoundry.org/blog/cve-2019-3801"}, {"name": "108104", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/108104"}]}]}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2019-3801", "datePublished": "2019-04-25T20:17:37.272844Z", "dateReserved": "2019-01-03T00:00:00", "dateUpdated": "2024-09-17T02:56:41.904Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cloudfoundry:cf-deployment:*:*:*:*:*:*:*:*", "matchCriteriaId": "01930C56-713D-49E3-9A19-348AAC0CAED1", "versionEndExcluding": "7.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:cloudfoundry:credhub:*:*:*:*:*:*:*:*", "matchCriteriaId": "077881F9-5C62-4F45-9634-7459A4BC84EE", "versionEndExcluding": "1.9.10", "versionStartIncluding": "1.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:cloudfoundry:credhub:*:*:*:*:*:*:*:*", "matchCriteriaId": "08BA1621-4676-4BDD-94FA-4EC2A873E3A2", "versionEndExcluding": "2.1.3", "versionStartIncluding": "2.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:cloudfoundry:uaa_release:*:*:*:*:*:*:*:*", "matchCriteriaId": "50BE60C9-0B65-4253-B52D-5CE79F501568", "versionEndExcluding": "64.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the component."}, {"lang": "es", "value": "Cloud Foundry cf-deployment versiones anteriores a 7.9.0, contiene componentes java que son empleados en un protocolo inseguro cuando se construyen dependencias. Un atacante malicioso remoto sin autenticar, podr\u00eda secuestrar la entrada DNS de la dependencia e inyectar c\u00f3digo malicioso en el componente."}], "id": "CVE-2019-3801", "lastModified": "2021-10-29T19:45:32.623", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.8, "source": "security_alert@emc.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-04-25T21:29:00.823", "references": [{"source": "security_alert@emc.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/108104"}, {"source": "security_alert@emc.com", "tags": ["Vendor Advisory"], "url": "https://www.cloudfoundry.org/blog/cve-2019-3801"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-494"}], "source": "security_alert@emc.com", "type": "Secondary"}]}