1. Home
  2. CVE Database
  3. CVE-2019-3786
HIGH · 7.1

CVE-2019-3786

Cloud Foundry BOSH Backup and Restore CLI, all versions prior to 1.5.0, does not check the authenticity of backup scripts in BOSH. A remote authenticated malicious user can modify the metadata file of...

Vulnerability Description

Cloud Foundry BOSH Backup and Restore CLI, all versions prior to 1.5.0, does not check the authenticity of backup scripts in BOSH. A remote authenticated malicious user can modify the metadata file of a Bosh Backup and Restore job to request extra backup files from different jobs upon restore. The exploited hooks in this metadata script were only maintained in the cfcr-etcd-release, so clusters deployed with the BBR job for etcd in this release are vulnerable.

CVSS Score

7.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
HIGH
Availability
NONE

Affected Products

VendorProductVersions
CloudfoundryBosh Backup And Restore< 1.5.0

Related Weaknesses (CWE)

CWE-269CWE-345

References

FAQ

What is CVE-2019-3786?

CVE-2019-3786 is a vulnerability with a CVSS score of 7.1 (HIGH). Cloud Foundry BOSH Backup and Restore CLI, all versions prior to 1.5.0, does not check the authenticity of backup scripts in BOSH. A remote authenticated malicious user can modify the metadata file of...

How severe is CVE-2019-3786?

CVE-2019-3786 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-3786?

Check the references section above for vendor advisories and patch information. Affected products include: Cloudfoundry Bosh Backup And Restore.