CVE-2017-4970

An issue was discovered in Cloud Foundry Foundation cf-release v255 and Staticfile buildpack versions v1.4.0 - v1.4.3. A regression introduced in the Static file build pack causes the Staticfile.auth configuration to be ignored when the Static file file is not present in the application root. Applications containing a Staticfile.auth file but not a Static file had their basic auth turned off when an operator upgraded the Static file build pack in the foundation to one of the vulnerable versions. Note that Static file applications without a Static file are technically misconfigured, and will not successfully detect unless the Static file build pack is explicitly specified.

CVSS v3 5.9 MEDIUM
CVSS v2.0 4.3 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector : AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://www.cloudfoundry.org/cve-2017-4970/	Mitigation Vendor Advisory
https://www.cloudfoundry.org/cve-2017-4970/	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cloudfoundry:cf-release:255:::::::*
	cpe:2.3:a:cloudfoundry:staticfile_buildpack:1.4.0:::::::*
	cpe:2.3:a:cloudfoundry:staticfile_buildpack:1.4.1:::::::*
	cpe:2.3:a:cloudfoundry:staticfile_buildpack:1.4.2:::::::*
	cpe:2.3:a:cloudfoundry:staticfile_buildpack:1.4.3:::::::*

History

21 Nov 2024, 03:26

Type	Values Removed	Values Added
References	~~() https://www.cloudfoundry.org/cve-2017-4970/ - Mitigation, Vendor Advisory~~	() https://www.cloudfoundry.org/cve-2017-4970/ - Mitigation, Vendor Advisory

Information

Published : 2017-06-13 06:29

Updated : 2024-11-21 03:26

NVD link : CVE-2017-4970

Mitre link : CVE-2017-4970

CVE.ORG link : CVE-2017-4970

JSON object : View

Products Affected

cloudfoundry

cf-release
staticfile_buildpack

CWE

NVD-CWE-noinfo

{"id": "CVE-2017-4970", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2017-06-13T06:29:00.567", "references": [{"url": "https://www.cloudfoundry.org/cve-2017-4970/", "tags": ["Mitigation", "Vendor Advisory"], "source": "security_alert@emc.com"}, {"url": "https://www.cloudfoundry.org/cve-2017-4970/", "tags": ["Mitigation", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Cloud Foundry Foundation cf-release v255 and Staticfile buildpack versions v1.4.0 - v1.4.3. A regression introduced in the Static file build pack causes the Staticfile.auth configuration to be ignored when the Static file file is not present in the application root. Applications containing a Staticfile.auth file but not a Static file had their basic auth turned off when an operator upgraded the Static file build pack in the foundation to one of the vulnerable versions. Note that Static file applications without a Static file are technically misconfigured, and will not successfully detect unless the Static file build pack is explicitly specified."}, {"lang": "es", "value": "Se detect\u00f3 un problema en cf-release versi\u00f3n v255 y Staticfile buildpack versiones v1.4.0 hasta v1.4.3 de Cloud Foundry Foundation. Una regresi\u00f3n introducida en el paquete de compilaci\u00f3n de archivos Static hace que la configuraci\u00f3n de Staticfile.auth sea ignorada cuando el archivo Static file no est\u00e9 presente en la aplicaci\u00f3n root. Las aplicaciones que contienen un archivo Staticfile.auth pero no un archivo Static tuvieron su identificaci\u00f3n b\u00e1sica desactivada cuando un operador actualiz\u00f3 el paquete de compilaci\u00f3n de archivos Static en la fundaci\u00f3n de una de las versiones vulnerables. Tomar en cuenta que las aplicaciones de archivos Static sin un archivo Static est\u00e1n mal configuradas t\u00e9cnicamente y no se detectar\u00e1n con \u00e9xito a menos que el paquete de compilaci\u00f3n de archivos Static sea especificada expl\u00edcitamente."}], "lastModified": "2024-11-21T03:26:46.620", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cloudfoundry:cf-release:255:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5046C2CB-99C6-4243-B830-B3957910F1AF"}, {"criteria": "cpe:2.3:a:cloudfoundry:staticfile_buildpack:1.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5701A18E-C1F0-4A2D-B2C4-A87F29FCA16A"}, {"criteria": "cpe:2.3:a:cloudfoundry:staticfile_buildpack:1.4.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B2087B57-6FCA-4FA6-8FB0-F2D998497B1C"}, {"criteria": "cpe:2.3:a:cloudfoundry:staticfile_buildpack:1.4.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1EBCCB10-2447-4DB1-A762-F07C1373A5E2"}, {"criteria": "cpe:2.3:a:cloudfoundry:staticfile_buildpack:1.4.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EA73D713-53B5-4F9D-97D7-E1BC391A9D26"}], "operator": "OR"}]}], "sourceIdentifier": "security_alert@emc.com"}