CVE-2019-3801
Java Projects using HTTP to fetch dependencies
Severity Score
9.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the component.
Cloud Foundry cf-deployment versiones anteriores a 7.9.0, contiene componentes java que son empleados en un protocolo inseguro cuando se construyen dependencias. Un atacante malicioso remoto sin autenticar, podría secuestrar la entrada DNS de la dependencia e inyectar código malicioso en el componente.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2019-01-03 CVE Reserved
- 2019-04-25 CVE Published
- 2024-09-15 EPSS Updated
- 2024-09-17 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-319: Cleartext Transmission of Sensitive Information
- CWE-494: Download of Code Without Integrity Check
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/108104 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.cloudfoundry.org/blog/cve-2019-3801 | 2021-10-29 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Cloudfoundry Search vendor "Cloudfoundry" | Cf-deployment Search vendor "Cloudfoundry" for product "Cf-deployment" | < 7.9.0 Search vendor "Cloudfoundry" for product "Cf-deployment" and version " < 7.9.0" | - |
Affected
| ||||||
| Cloudfoundry Search vendor "Cloudfoundry" | Credhub Search vendor "Cloudfoundry" for product "Credhub" | >= 1.9 < 1.9.10 Search vendor "Cloudfoundry" for product "Credhub" and version " >= 1.9 < 1.9.10" | - |
Affected
| ||||||
| Cloudfoundry Search vendor "Cloudfoundry" | Credhub Search vendor "Cloudfoundry" for product "Credhub" | >= 2.1 < 2.1.3 Search vendor "Cloudfoundry" for product "Credhub" and version " >= 2.1 < 2.1.3" | - |
Affected
| ||||||
| Cloudfoundry Search vendor "Cloudfoundry" | Uaa Release Search vendor "Cloudfoundry" for product "Uaa Release" | < 64.0 Search vendor "Cloudfoundry" for product "Uaa Release" and version " < 64.0" | - |
Affected
| ||||||