CVE-2019-3801

Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the component.

Published: Apr 25, 2019
Updated: Apr 13, 2023
CVE: CVE-2019-3801
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

CWEs:

CWE-319

OWASP TOP 10:

A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
cloudfoundry / cf-deployment	-	7.9.0
cloudfoundry / uaa_release	-	64.0
cloudfoundry / credhub	1.9	1.9.10
cloudfoundry / credhub	2.1	2.1.3

http://www.securityfocus.com/bid/108104
https://www.cloudfoundry.org/blog/cve-2019-3801

Vulnerability Database

289,697

CVE-2019-3801