CVE-2019-3801: Java Projects using HTTP to fetch dependencies
Severity
High
Vendor
Pivotal
Description
Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the component.
Affected VMware Products and Versions
Severity is high unless otherwise noted.
- Pivotal Application Service 2.x versions prior to 2.3.0
Mitigation
Users of affected versions should apply the following mitigation:
- Releases that have fixed this issue include:
- Pivotal Application Service: 2.3.0 and higher
References
- https://www.cloudfoundry.org/blog/cve-2019-3801/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-3801
History
2019-04-25: Initial vulnerability report published