CVE-2019-3801 HIGH

CVE-2019-3801: Java Projects using HTTP to fetch dependencies

Vendor Cloud Foundry

Product CredHub

Weakness CWE-494 · Download without integrity check

Published April 25, 2019

Last update September 17, 2024

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

What the vulnerability does

Description

Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the component.

Key dates

Disclosure timeline

April 25, 2019 CVE published

September 17, 2024 Record updated

Identifiers

CVE CVE-2019-3801

CWE CWE-494

CVSS 8.7 / HIGH

Affected versions

Vendor Cloud Foundry

Product CredHub

Affected ≥ 2.1 and < 2.1.3

Vendor Cloud Foundry

Product CredHub

Affected ≥ 1.9 and < 1.9.10

Vendor Cloud Foundry

Product UAA Release (OSS)

Affected ≥ All and < v64.0

Vendor Cloud Foundry

Product cf-deployment

Affected ≥ All and < v7.9.0

Vendor Pivotal

Product UAA Release (LTS)

Affected ≥ v60 and < v60.2

Vendor Pivotal

Product UAA Release (LTS)

Affected ≥ v64 and < v64.1