CVE-2017-4970 - OpenCVE

An issue was discovered in Cloud Foundry Foundation cf-release v255 and Staticfile buildpack versions v1.4.0 - v1.4.3. A regression introduced in the Static file build pack causes the Staticfile.auth configuration to be ignored when the Static file file is not present in the application root. Applications containing a Staticfile.auth file but not a Static file had their basic auth turned off when an operator upgraded the Static file build pack in the foundation to one of the vulnerable versions. Note that Static file applications without a Static file are technically misconfigured, and will not successfully detect unless the Static file build pack is explicitly specified.

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Cloudfoundry	Cf-release Staticfile Buildpack

Configuration 1 [-]

OR	cpe:2.3:a:cloudfoundry:cf-release:255:::::::*
	cpe:2.3:a:cloudfoundry:staticfile_buildpack:1.4.0:::::::*
	cpe:2.3:a:cloudfoundry:staticfile_buildpack:1.4.1:::::::*
	cpe:2.3:a:cloudfoundry:staticfile_buildpack:1.4.2:::::::*
	cpe:2.3:a:cloudfoundry:staticfile_buildpack:1.4.3:::::::*

References

Link	Resource
https://www.cloudfoundry.org/cve-2017-4970/	Mitigation Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: dell

Published: 2017-06-13T06:00:00

Updated: 2017-06-13T05:57:01

Reserved: 2016-12-29T00:00:00

Link: CVE-2017-4970

JSON object: View

NVD Information

Status : Analyzed

Published: 2017-06-13T06:29:00.567

Modified: 2019-10-03T00:03:26.223

Link: CVE-2017-4970

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "Cloud Foundry", "vendor": "n/a", "versions": [{"status": "affected", "version": "Cloud Foundry"}]}], "datePublic": "2017-06-12T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered in Cloud Foundry Foundation cf-release v255 and Staticfile buildpack versions v1.4.0 - v1.4.3. A regression introduced in the Static file build pack causes the Staticfile.auth configuration to be ignored when the Static file file is not present in the application root. Applications containing a Staticfile.auth file but not a Static file had their basic auth turned off when an operator upgraded the Static file build pack in the foundation to one of the vulnerable versions. Note that Static file applications without a Static file are technically misconfigured, and will not successfully detect unless the Static file build pack is explicitly specified."}], "problemTypes": [{"descriptions": [{"description": "Staticfile buildpack ignores basic authentication when misconfigured", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-06-13T05:57:01", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.cloudfoundry.org/cve-2017-4970/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security_alert@emc.com", "ID": "CVE-2017-4970", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Cloud Foundry", "version": {"version_data": [{"version_value": "Cloud Foundry"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Cloud Foundry Foundation cf-release v255 and Staticfile buildpack versions v1.4.0 - v1.4.3. A regression introduced in the Static file build pack causes the Staticfile.auth configuration to be ignored when the Static file file is not present in the application root. Applications containing a Staticfile.auth file but not a Static file had their basic auth turned off when an operator upgraded the Static file build pack in the foundation to one of the vulnerable versions. Note that Static file applications without a Static file are technically misconfigured, and will not successfully detect unless the Static file build pack is explicitly specified."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Staticfile buildpack ignores basic authentication when misconfigured"}]}]}, "references": {"reference_data": [{"name": "https://www.cloudfoundry.org/cve-2017-4970/", "refsource": "CONFIRM", "url": "https://www.cloudfoundry.org/cve-2017-4970/"}]}}}}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2017-4970", "datePublished": "2017-06-13T06:00:00", "dateReserved": "2016-12-29T00:00:00", "dateUpdated": "2017-06-13T05:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cloudfoundry:cf-release:255:*:*:*:*:*:*:*", "matchCriteriaId": "5046C2CB-99C6-4243-B830-B3957910F1AF", "vulnerable": true}, {"criteria": "cpe:2.3:a:cloudfoundry:staticfile_buildpack:1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "5701A18E-C1F0-4A2D-B2C4-A87F29FCA16A", "vulnerable": true}, {"criteria": "cpe:2.3:a:cloudfoundry:staticfile_buildpack:1.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "B2087B57-6FCA-4FA6-8FB0-F2D998497B1C", "vulnerable": true}, {"criteria": "cpe:2.3:a:cloudfoundry:staticfile_buildpack:1.4.2:*:*:*:*:*:*:*", "matchCriteriaId": "1EBCCB10-2447-4DB1-A762-F07C1373A5E2", "vulnerable": true}, {"criteria": "cpe:2.3:a:cloudfoundry:staticfile_buildpack:1.4.3:*:*:*:*:*:*:*", "matchCriteriaId": "EA73D713-53B5-4F9D-97D7-E1BC391A9D26", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Cloud Foundry Foundation cf-release v255 and Staticfile buildpack versions v1.4.0 - v1.4.3. A regression introduced in the Static file build pack causes the Staticfile.auth configuration to be ignored when the Static file file is not present in the application root. Applications containing a Staticfile.auth file but not a Static file had their basic auth turned off when an operator upgraded the Static file build pack in the foundation to one of the vulnerable versions. Note that Static file applications without a Static file are technically misconfigured, and will not successfully detect unless the Static file build pack is explicitly specified."}, {"lang": "es", "value": "Se detect\u00f3 un problema en cf-release versi\u00f3n v255 y Staticfile buildpack versiones v1.4.0 hasta v1.4.3 de Cloud Foundry Foundation. Una regresi\u00f3n introducida en el paquete de compilaci\u00f3n de archivos Static hace que la configuraci\u00f3n de Staticfile.auth sea ignorada cuando el archivo Static file no est\u00e9 presente en la aplicaci\u00f3n root. Las aplicaciones que contienen un archivo Staticfile.auth pero no un archivo Static tuvieron su identificaci\u00f3n b\u00e1sica desactivada cuando un operador actualiz\u00f3 el paquete de compilaci\u00f3n de archivos Static en la fundaci\u00f3n de una de las versiones vulnerables. Tomar en cuenta que las aplicaciones de archivos Static sin un archivo Static est\u00e1n mal configuradas t\u00e9cnicamente y no se detectar\u00e1n con \u00e9xito a menos que el paquete de compilaci\u00f3n de archivos Static sea especificada expl\u00edcitamente."}], "id": "CVE-2017-4970", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-06-13T06:29:00.567", "references": [{"source": "security_alert@emc.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://www.cloudfoundry.org/cve-2017-4970/"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}