CVE-2017-4970

Name of the Vulnerable Software and Affected Versions Cloud Foundry Foundation cf-release version 255 Staticfile buildpack versions 1.4.0 through 1.4.3

Description An issue was discovered that causes the Staticfile.auth configuration to be ignored when the Static file is not present in the application root. This affects applications containing a Staticfile.auth file but not a Static file, resulting in basic auth being turned off when the Static file build pack is upgraded to a vulnerable version.

Recommendations For Cloud Foundry Foundation cf-release version 255, update the configuration to ensure proper detection of Staticfile.auth. For Staticfile buildpack versions 1.4.0 through 1.4.3, consider explicitly specifying the Static file build pack to prevent misconfiguration. As a temporary workaround, consider verifying the presence of the Static file in the application root to minimize the risk of exploitation.