CVE-2019-3779 HIGH

CVE-2019-3779: Cloud Foundry Container Runtime allows a user to bypass security policy when talking to ETCD

Vendor Cloud Foundry

Product Cloud Foundry Container Runtime (CFCR)

Weakness CWE-284

Published March 8, 2019

Last update September 16, 2024

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Adjacent

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Cloud Foundry Container Runtime, versions prior to 0.29.0, deploys Kubernetes clusters utilize the same CA (Certificate Authority) to sign and trust certs for ETCD as used by the Kubernetes API. This could allow a user authenticated with a cluster to request a signed certificate leveraging the Kubernetes CSR capability to obtain a credential that could escalate privilege access to ETCD.

Key dates

02Disclosure timeline

March 8, 2019 CVE published

September 16, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2019-3779 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/284.html

Related vulnerabilities

Identifiers

CVE CVE-2019-3779

CWE CWE-284

CVSS 8.8 / HIGH

Affected versions