CVE-2019-13232: ClamAV Add-on for PCF consumes a vulnerable version of ClamAV
Severity
High
Vendor
Pivotal Cloud Foundry
Description
Pivotal ClamAV Add-on for PCF, versions prior to 1.4.46, contain a dependency on a vulnerable version of ClamAV. A remote unauthenticated malicious user may conduct a Denial-of-Service (DoS) attack by scanning a non-recursive zip bomb leading to a loss of availability.
Affected VMware Products and Versions
Severity is high unless otherwise noted.
- ClamAV Add-on for PCF
- 1.x versions prior to 1.4.46
Mitigation
Users of affected versions should apply the following mitigation:
- Pivotal releases that have fixed this issue include:
- ClamAV Add-on for PCF
- 1.4.46
- ClamAV Add-on for PCF
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13232
- https://blog.clamav.net/2019/08/clamav-01013-security-patch-release-and.html
- https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html
History
2019-08-14: Initial vulnerability report published.
2019-09-03: Updated the fixed version and references section.