CVE-2019-3786
Last modified
CVE-2019-3786 is a high-severity vulnerability rated 7.1/10 on the CVSS scale. Cloud Foundry BOSH Backup and Restore CLI, all versions prior to 1.5.0, does not check the authenticity of backup scripts in BOSH. A remote authenticated malicious user can modify the metadata file of a Bosh Backup and Restore job to request extra backup files from different jobs upon restore. EPSS estimates a 0.59% chance of exploitation in the next 30 days.
Description
Cloud Foundry BOSH Backup and Restore CLI, all versions prior to 1.5.0, does not check the authenticity of backup scripts in BOSH. A remote authenticated malicious user can modify the metadata file of a Bosh Backup and Restore job to request extra backup files from different jobs upon restore. The exploited hooks in this metadata script were only maintained in the cfcr-etcd-release, so clusters deployed with the BBR job for etcd in this release are vulnerable.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Cloudfoundry | Bosh Backup And Restore | < 1.5.0 |
References
- https://www.cloudfoundry.org/blog/cve-2019-3786Vendor Advisory
- https://www.cloudfoundry.org/blog/cve-2019-3786Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-3786?
How severe is CVE-2019-3786?
How do I fix CVE-2019-3786?
Are you affected by CVE-2019-3786?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST