PT-2019-16716 · Cloud Foundry · Cloud Foundry Bosh Backup/Restore Cli

Published

2019-04-24

Updated

2020-10-16

CVE-2019-3786

CVSS v3.1

7.7

High

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Cloud Foundry BOSH Backup and Restore CLI versions prior to 1.5.0

Description The issue allows a remote authenticated malicious user to modify the metadata file of a BOSH Backup and Restore job, enabling them to request extra backup files from different jobs upon restore. This is possible because the authenticity of backup scripts in BOSH is not checked. The vulnerability specifically affects clusters deployed with the BBR job for etcd in the cfcr-etcd-release.

Recommendations For Cloud Foundry BOSH Backup and Restore CLI versions prior to 1.5.0, update to version 1.5.0 or later to resolve the issue.

Fix

Improper Privilege Management

Insufficient Verification of Data Authenticity

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-269CWE-345

Related Identifiers

CVE-2019-3786

Affected Products

Cloud Foundry Bosh Backup/Restore Cli

PT-2019-16716 · Cloud Foundry · Cloud Foundry Bosh Backup/Restore Cli

CVE-2019-3786

Weakness Enumeration

Related Identifiers

Affected Products

References · 3