CVE-2019-3786

EPSS 0.09%
Veröffentlicht 24.04.2019 16:29:01
Zuletzt bearbeitet 21.11.2024 04:42:32
Quelle security_alert@emc.com
CVE-Watchlists
Login
Unerledigt
Login

BBR could run arbitrary scripts on deployment VMs

Cloud Foundry BOSH Backup and Restore CLI, all versions prior to 1.5.0, does not check the authenticity of backup scripts in BOSH. A remote authenticated malicious user can modify the metadata file of a Bosh Backup and Restore job to request extra backup files from different jobs upon restore. The exploited hooks in this metadata script were only maintained in the cfcr-etcd-release, so clusters deployed with the BBR job for etcd in this release are vulnerable.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cloudfoundry ≫ Bosh Backup And Restore Version < 1.5.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.09%	0.234

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.1	2.8	4.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:N/I:P/A:N
security_alert@emc.com	7.7	3.1	4	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CWE-345 Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

https://www.cloudfoundry.org/blog/cve-2019-3786

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-3786

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-3786

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-3786

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2019-3786