All the vulnerabilites related to cloudfoundry - staticfile_buildpack
Vulnerability from fkie_nvd
Published
2017-06-13 06:29
Modified
2024-11-21 03:26
Severity ?
Summary
An issue was discovered in Cloud Foundry Foundation cf-release v255 and Staticfile buildpack versions v1.4.0 - v1.4.3. A regression introduced in the Static file build pack causes the Staticfile.auth configuration to be ignored when the Static file file is not present in the application root. Applications containing a Staticfile.auth file but not a Static file had their basic auth turned off when an operator upgraded the Static file build pack in the foundation to one of the vulnerable versions. Note that Static file applications without a Static file are technically misconfigured, and will not successfully detect unless the Static file build pack is explicitly specified.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security_alert@emc.com | https://www.cloudfoundry.org/cve-2017-4970/ | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.cloudfoundry.org/cve-2017-4970/ | Mitigation, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| cloudfoundry | cf-release | 255 | |
| cloudfoundry | staticfile_buildpack | 1.4.0 | |
| cloudfoundry | staticfile_buildpack | 1.4.1 | |
| cloudfoundry | staticfile_buildpack | 1.4.2 | |
| cloudfoundry | staticfile_buildpack | 1.4.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cloudfoundry:cf-release:255:*:*:*:*:*:*:*",
"matchCriteriaId": "5046C2CB-99C6-4243-B830-B3957910F1AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cloudfoundry:staticfile_buildpack:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5701A18E-C1F0-4A2D-B2C4-A87F29FCA16A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cloudfoundry:staticfile_buildpack:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B2087B57-6FCA-4FA6-8FB0-F2D998497B1C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cloudfoundry:staticfile_buildpack:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1EBCCB10-2447-4DB1-A762-F07C1373A5E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cloudfoundry:staticfile_buildpack:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "EA73D713-53B5-4F9D-97D7-E1BC391A9D26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Cloud Foundry Foundation cf-release v255 and Staticfile buildpack versions v1.4.0 - v1.4.3. A regression introduced in the Static file build pack causes the Staticfile.auth configuration to be ignored when the Static file file is not present in the application root. Applications containing a Staticfile.auth file but not a Static file had their basic auth turned off when an operator upgraded the Static file build pack in the foundation to one of the vulnerable versions. Note that Static file applications without a Static file are technically misconfigured, and will not successfully detect unless the Static file build pack is explicitly specified."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en cf-release versi\u00f3n v255 y Staticfile buildpack versiones v1.4.0 hasta v1.4.3 de Cloud Foundry Foundation. Una regresi\u00f3n introducida en el paquete de compilaci\u00f3n de archivos Static hace que la configuraci\u00f3n de Staticfile.auth sea ignorada cuando el archivo Static file no est\u00e9 presente en la aplicaci\u00f3n root. Las aplicaciones que contienen un archivo Staticfile.auth pero no un archivo Static tuvieron su identificaci\u00f3n b\u00e1sica desactivada cuando un operador actualiz\u00f3 el paquete de compilaci\u00f3n de archivos Static en la fundaci\u00f3n de una de las versiones vulnerables. Tomar en cuenta que las aplicaciones de archivos Static sin un archivo Static est\u00e1n mal configuradas t\u00e9cnicamente y no se detectar\u00e1n con \u00e9xito a menos que el paquete de compilaci\u00f3n de archivos Static sea especificada expl\u00edcitamente."
}
],
"id": "CVE-2017-4970",
"lastModified": "2024-11-21T03:26:46.620",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-06-13T06:29:00.567",
"references": [
{
"source": "security_alert@emc.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://www.cloudfoundry.org/cve-2017-4970/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://www.cloudfoundry.org/cve-2017-4970/"
}
],
"sourceIdentifier": "security_alert@emc.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2017-4970
Vulnerability from cvelistv5
Published
2017-06-13 06:00
Modified
2024-08-05 14:47
Severity ?
EPSS score ?
Summary
An issue was discovered in Cloud Foundry Foundation cf-release v255 and Staticfile buildpack versions v1.4.0 - v1.4.3. A regression introduced in the Static file build pack causes the Staticfile.auth configuration to be ignored when the Static file file is not present in the application root. Applications containing a Staticfile.auth file but not a Static file had their basic auth turned off when an operator upgraded the Static file build pack in the foundation to one of the vulnerable versions. Note that Static file applications without a Static file are technically misconfigured, and will not successfully detect unless the Static file build pack is explicitly specified.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.cloudfoundry.org/cve-2017-4970/ | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | n/a | Cloud Foundry |
Version: Cloud Foundry |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:47:43.684Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.cloudfoundry.org/cve-2017-4970/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Cloud Foundry",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Cloud Foundry"
}
]
}
],
"datePublic": "2017-06-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Cloud Foundry Foundation cf-release v255 and Staticfile buildpack versions v1.4.0 - v1.4.3. A regression introduced in the Static file build pack causes the Staticfile.auth configuration to be ignored when the Static file file is not present in the application root. Applications containing a Staticfile.auth file but not a Static file had their basic auth turned off when an operator upgraded the Static file build pack in the foundation to one of the vulnerable versions. Note that Static file applications without a Static file are technically misconfigured, and will not successfully detect unless the Static file build pack is explicitly specified."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Staticfile buildpack ignores basic authentication when misconfigured",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-06-13T05:57:01",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.cloudfoundry.org/cve-2017-4970/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security_alert@emc.com",
"ID": "CVE-2017-4970",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Cloud Foundry",
"version": {
"version_data": [
{
"version_value": "Cloud Foundry"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Cloud Foundry Foundation cf-release v255 and Staticfile buildpack versions v1.4.0 - v1.4.3. A regression introduced in the Static file build pack causes the Staticfile.auth configuration to be ignored when the Static file file is not present in the application root. Applications containing a Staticfile.auth file but not a Static file had their basic auth turned off when an operator upgraded the Static file build pack in the foundation to one of the vulnerable versions. Note that Static file applications without a Static file are technically misconfigured, and will not successfully detect unless the Static file build pack is explicitly specified."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Staticfile buildpack ignores basic authentication when misconfigured"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cloudfoundry.org/cve-2017-4970/",
"refsource": "CONFIRM",
"url": "https://www.cloudfoundry.org/cve-2017-4970/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2017-4970",
"datePublished": "2017-06-13T06:00:00",
"dateReserved": "2016-12-29T00:00:00",
"dateUpdated": "2024-08-05T14:47:43.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}