Search criteria
4 vulnerabilities found for CredHub by Cloud Foundry
CVE-2020-5399 (GCVE-0-2020-5399)
Vulnerability from nvd – Published: 2020-02-12 20:30 – Updated: 2024-09-16 19:51
VLAI
Title
CredHub does not properly enable TLS for MySQL database connections
Summary
Cloud Foundry CredHub, versions prior to 2.5.10, connects to a MySQL database without TLS even when configured to use TLS. A malicious user with access to the network between CredHub and its MySQL database may eavesdrop on database connections and thereby gain unauthorized access to CredHub and other components.
Severity
7.6 (High)
CWE
- CWE-319 - Cleartext Transmission of Sensitive Information
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.cloudfoundry.org/blog/cve-2020-5399 | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Foundry | CredHub |
Affected:
Edge , < 2.5.10
(custom)
|
Date Public
2020-02-12 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:30:23.929Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.cloudfoundry.org/blog/cve-2020-5399"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CredHub",
"vendor": "Cloud Foundry",
"versions": [
{
"lessThan": "2.5.10",
"status": "affected",
"version": "Edge",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-02-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cloud Foundry CredHub, versions prior to 2.5.10, connects to a MySQL database without TLS even when configured to use TLS. A malicious user with access to the network between CredHub and its MySQL database may eavesdrop on database connections and thereby gain unauthorized access to CredHub and other components."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319: Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-12T20:30:17.000Z",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.cloudfoundry.org/blog/cve-2020-5399"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CredHub does not properly enable TLS for MySQL database connections",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2020-02-12T00:00:00.000Z",
"ID": "CVE-2020-5399",
"STATE": "PUBLIC",
"TITLE": "CredHub does not properly enable TLS for MySQL database connections"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CredHub",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "Edge",
"version_value": "2.5.10"
}
]
}
}
]
},
"vendor_name": "Cloud Foundry"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cloud Foundry CredHub, versions prior to 2.5.10, connects to a MySQL database without TLS even when configured to use TLS. A malicious user with access to the network between CredHub and its MySQL database may eavesdrop on database connections and thereby gain unauthorized access to CredHub and other components."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-319: Cleartext Transmission of Sensitive Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cloudfoundry.org/blog/cve-2020-5399",
"refsource": "CONFIRM",
"url": "https://www.cloudfoundry.org/blog/cve-2020-5399"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2020-5399",
"datePublished": "2020-02-12T20:30:17.255Z",
"dateReserved": "2020-01-03T00:00:00.000Z",
"dateUpdated": "2024-09-16T19:51:26.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-3801 (GCVE-0-2019-3801)
Vulnerability from nvd – Published: 2019-04-25 20:17 – Updated: 2024-09-17 02:56
VLAI
Title
Java Projects using HTTP to fetch dependencies
Summary
Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the component.
Severity
8.7 (High)
CWE
- CWE-494 - Download of Code Without Integrity Check
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.cloudfoundry.org/blog/cve-2019-3801 | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/108104 | vdb-entryx_refsource_BID |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Foundry | CredHub |
Affected:
2.1 , < 2.1.3
(custom)
Affected: 1.9 , < 1.9.10 (custom) |
|
| Cloud Foundry | UAA Release (OSS) |
Affected:
All , < v64.0
(custom)
|
|
| Cloud Foundry | cf-deployment |
Affected:
All , < v7.9.0
(custom)
|
|
| Pivotal | UAA Release (LTS) |
Affected:
v60 , < v60.2
(custom)
Affected: v64 , < v64.1 (custom) |
Date Public
2019-04-25 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:19:18.469Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.cloudfoundry.org/blog/cve-2019-3801"
},
{
"name": "108104",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108104"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CredHub",
"vendor": "Cloud Foundry",
"versions": [
{
"lessThan": "2.1.3",
"status": "affected",
"version": "2.1",
"versionType": "custom"
},
{
"lessThan": "1.9.10",
"status": "affected",
"version": "1.9",
"versionType": "custom"
}
]
},
{
"product": "UAA Release (OSS)",
"vendor": "Cloud Foundry",
"versions": [
{
"lessThan": "v64.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"product": "cf-deployment",
"vendor": "Cloud Foundry",
"versions": [
{
"lessThan": "v7.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"product": "UAA Release (LTS)",
"vendor": "Pivotal",
"versions": [
{
"lessThan": "v60.2",
"status": "affected",
"version": "v60",
"versionType": "custom"
},
{
"lessThan": "v64.1",
"status": "affected",
"version": "v64",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-04-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the component."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-494",
"description": "CWE-494: Download of Code Without Integrity Check",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-30T13:06:03.000Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.cloudfoundry.org/blog/cve-2019-3801"
},
{
"name": "108104",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108104"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Java Projects using HTTP to fetch dependencies",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security_alert@emc.com",
"DATE_PUBLIC": "2019-04-25T00:00:00.000Z",
"ID": "CVE-2019-3801",
"STATE": "PUBLIC",
"TITLE": "Java Projects using HTTP to fetch dependencies"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CredHub",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "2.1",
"version_value": "2.1.3"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "1.9",
"version_value": "1.9.10"
}
]
}
},
{
"product_name": "UAA Release (OSS)",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "v64.0"
}
]
}
},
{
"product_name": "cf-deployment",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "v7.9.0"
}
]
}
}
]
},
"vendor_name": "Cloud Foundry"
},
{
"product": {
"product_data": [
{
"product_name": "UAA Release (LTS)",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "v60",
"version_value": "v60.2"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "v64",
"version_value": "v64.1"
}
]
}
}
]
},
"vendor_name": "Pivotal"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the component."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-494: Download of Code Without Integrity Check"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cloudfoundry.org/blog/cve-2019-3801",
"refsource": "CONFIRM",
"url": "https://www.cloudfoundry.org/blog/cve-2019-3801"
},
{
"name": "108104",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108104"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2019-3801",
"datePublished": "2019-04-25T20:17:37.272Z",
"dateReserved": "2019-01-03T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:56:41.904Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5399 (GCVE-0-2020-5399)
Vulnerability from cvelistv5 – Published: 2020-02-12 20:30 – Updated: 2024-09-16 19:51
VLAI
Title
CredHub does not properly enable TLS for MySQL database connections
Summary
Cloud Foundry CredHub, versions prior to 2.5.10, connects to a MySQL database without TLS even when configured to use TLS. A malicious user with access to the network between CredHub and its MySQL database may eavesdrop on database connections and thereby gain unauthorized access to CredHub and other components.
Severity
7.6 (High)
CWE
- CWE-319 - Cleartext Transmission of Sensitive Information
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.cloudfoundry.org/blog/cve-2020-5399 | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Foundry | CredHub |
Affected:
Edge , < 2.5.10
(custom)
|
Date Public
2020-02-12 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:30:23.929Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.cloudfoundry.org/blog/cve-2020-5399"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CredHub",
"vendor": "Cloud Foundry",
"versions": [
{
"lessThan": "2.5.10",
"status": "affected",
"version": "Edge",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-02-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cloud Foundry CredHub, versions prior to 2.5.10, connects to a MySQL database without TLS even when configured to use TLS. A malicious user with access to the network between CredHub and its MySQL database may eavesdrop on database connections and thereby gain unauthorized access to CredHub and other components."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319: Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-12T20:30:17.000Z",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.cloudfoundry.org/blog/cve-2020-5399"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CredHub does not properly enable TLS for MySQL database connections",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2020-02-12T00:00:00.000Z",
"ID": "CVE-2020-5399",
"STATE": "PUBLIC",
"TITLE": "CredHub does not properly enable TLS for MySQL database connections"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CredHub",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "Edge",
"version_value": "2.5.10"
}
]
}
}
]
},
"vendor_name": "Cloud Foundry"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cloud Foundry CredHub, versions prior to 2.5.10, connects to a MySQL database without TLS even when configured to use TLS. A malicious user with access to the network between CredHub and its MySQL database may eavesdrop on database connections and thereby gain unauthorized access to CredHub and other components."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-319: Cleartext Transmission of Sensitive Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cloudfoundry.org/blog/cve-2020-5399",
"refsource": "CONFIRM",
"url": "https://www.cloudfoundry.org/blog/cve-2020-5399"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2020-5399",
"datePublished": "2020-02-12T20:30:17.255Z",
"dateReserved": "2020-01-03T00:00:00.000Z",
"dateUpdated": "2024-09-16T19:51:26.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-3801 (GCVE-0-2019-3801)
Vulnerability from cvelistv5 – Published: 2019-04-25 20:17 – Updated: 2024-09-17 02:56
VLAI
Title
Java Projects using HTTP to fetch dependencies
Summary
Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the component.
Severity
8.7 (High)
CWE
- CWE-494 - Download of Code Without Integrity Check
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.cloudfoundry.org/blog/cve-2019-3801 | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/108104 | vdb-entryx_refsource_BID |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Foundry | CredHub |
Affected:
2.1 , < 2.1.3
(custom)
Affected: 1.9 , < 1.9.10 (custom) |
|
| Cloud Foundry | UAA Release (OSS) |
Affected:
All , < v64.0
(custom)
|
|
| Cloud Foundry | cf-deployment |
Affected:
All , < v7.9.0
(custom)
|
|
| Pivotal | UAA Release (LTS) |
Affected:
v60 , < v60.2
(custom)
Affected: v64 , < v64.1 (custom) |
Date Public
2019-04-25 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:19:18.469Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.cloudfoundry.org/blog/cve-2019-3801"
},
{
"name": "108104",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108104"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CredHub",
"vendor": "Cloud Foundry",
"versions": [
{
"lessThan": "2.1.3",
"status": "affected",
"version": "2.1",
"versionType": "custom"
},
{
"lessThan": "1.9.10",
"status": "affected",
"version": "1.9",
"versionType": "custom"
}
]
},
{
"product": "UAA Release (OSS)",
"vendor": "Cloud Foundry",
"versions": [
{
"lessThan": "v64.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"product": "cf-deployment",
"vendor": "Cloud Foundry",
"versions": [
{
"lessThan": "v7.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"product": "UAA Release (LTS)",
"vendor": "Pivotal",
"versions": [
{
"lessThan": "v60.2",
"status": "affected",
"version": "v60",
"versionType": "custom"
},
{
"lessThan": "v64.1",
"status": "affected",
"version": "v64",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-04-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the component."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-494",
"description": "CWE-494: Download of Code Without Integrity Check",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-30T13:06:03.000Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.cloudfoundry.org/blog/cve-2019-3801"
},
{
"name": "108104",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108104"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Java Projects using HTTP to fetch dependencies",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security_alert@emc.com",
"DATE_PUBLIC": "2019-04-25T00:00:00.000Z",
"ID": "CVE-2019-3801",
"STATE": "PUBLIC",
"TITLE": "Java Projects using HTTP to fetch dependencies"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CredHub",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "2.1",
"version_value": "2.1.3"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "1.9",
"version_value": "1.9.10"
}
]
}
},
{
"product_name": "UAA Release (OSS)",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "v64.0"
}
]
}
},
{
"product_name": "cf-deployment",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "v7.9.0"
}
]
}
}
]
},
"vendor_name": "Cloud Foundry"
},
{
"product": {
"product_data": [
{
"product_name": "UAA Release (LTS)",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "v60",
"version_value": "v60.2"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "v64",
"version_value": "v64.1"
}
]
}
}
]
},
"vendor_name": "Pivotal"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the component."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-494: Download of Code Without Integrity Check"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cloudfoundry.org/blog/cve-2019-3801",
"refsource": "CONFIRM",
"url": "https://www.cloudfoundry.org/blog/cve-2019-3801"
},
{
"name": "108104",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108104"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2019-3801",
"datePublished": "2019-04-25T20:17:37.272Z",
"dateReserved": "2019-01-03T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:56:41.904Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}