CVE-2019-3786

Cloud Foundry BOSH Backup and Restore CLI, all versions prior to 1.5.0, does not check the authenticity of backup scripts in BOSH. A remote authenticated malicious user can modify the metadata file of a Bosh Backup and Restore job to request extra backup files from different jobs upon restore. The exploited hooks in this metadata script were only maintained in the cfcr-etcd-release, so clusters deployed with the BBR job for etcd in this release are vulnerable.
References
Link Resource
https://www.cloudfoundry.org/blog/cve-2019-3786 Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:cloudfoundry:bosh_backup_and_restore:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-04-24 16:29

Updated : 2024-02-28 17:08


NVD link : CVE-2019-3786

Mitre link : CVE-2019-3786

CVE.ORG link : CVE-2019-3786


JSON object : View

Products Affected

cloudfoundry

  • bosh_backup_and_restore
CWE
CWE-345

Insufficient Verification of Data Authenticity

CWE-269

Improper Privilege Management