Description
Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the component.
CVSS breakdown
CVSS 3.0
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None
Affected products
- Cloud Foundry / CF DeploymentAll – v7.9.0
- Cloud Foundry / CredHub2.1 – 2.1.3
- Cloud Foundry / CredHub1.9 – 1.9.10
- Cloud Foundry / UAA Release (OSS)All – v64.0
- Pivotal / UAA Release (LTS)v60 – v60.2
- Pivotal / UAA Release (LTS)v64 – v64.1