CVE-2017-4970

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2017-4970
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-4970.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-4970
Published
2017-06-13T06:29:00.567Z
Modified
2026-04-10T04:01:42.516620Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

An issue was discovered in Cloud Foundry Foundation cf-release v255 and Staticfile buildpack versions v1.4.0 - v1.4.3. A regression introduced in the Static file build pack causes the Staticfile.auth configuration to be ignored when the Static file file is not present in the application root. Applications containing a Staticfile.auth file but not a Static file had their basic auth turned off when an operator upgraded the Static file build pack in the foundation to one of the vulnerable versions. Note that Static file applications without a Static file are technically misconfigured, and will not successfully detect unless the Static file build pack is explicitly specified.

References

Affected packages

Git / github.com/cloudfoundry/cf-release

Affected ranges

Type
GIT
Repo
https://github.com/cloudfoundry/cf-release
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
d5295bc2fb9e5d84254470c1fa5cd3ea10d80a05
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "255"
        }
    ]
}
Type
GIT
Repo
https://github.com/cloudfoundry/staticfile-buildpack
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
7b401f7a84a36b9180af87deec9e2aeb4f2ccd31
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
4bce71ae7668b7b44aec550400650bb51427c336
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
a62436383bd9f94d141a5e1cc448283595cce0ab
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.4.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.4.1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.4.2"
        }
    ]
}

Affected versions

Other
-
list
log
scotty_09012012
v100
v102
v103
v104
v105
v109
v119
v132
v133
v134
v135
v136
v137
v140
v143
v156
v157
v161
v170
v183
v205
v245
v249
v253
v255
v99
works-for-us
rc145.*
rc145.0
v0.*
v0.2.0
v0.3.0
v0.4.0
v0.4.1
v0.4.2
v0.5.0
v0.5.1
v0.5.2
v1.*
v1.0.0
v1.1.0
v1.1.1
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.3.0
v1.3.1
v1.3.10
v1.3.11
v1.3.12
v1.3.13
v1.3.14
v1.3.15
v1.3.16
v1.3.17
v1.3.18
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.8
v1.3.9
v1.4.0
v1.4.1
v1.4.2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-4970.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "1.4.3"
            }
        ]
    }
]