All Vulnerability Reports

CVE-2019-3801: Java Projects using HTTP to fetch dependencies


Severity

High

Vendor

Pivotal

Description

Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the component.

Affected VMware Products and Versions

Severity is high unless otherwise noted.

  • Pivotal Application Service 2.x versions prior to 2.3.0

Mitigation

Users of affected versions should apply the following mitigation:

  • Releases that have fixed this issue include:
    • Pivotal Application Service: 2.3.0 and higher

References

History

2019-04-25: Initial vulnerability report published