CVE-2019-3786

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2019-3786
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-3786.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-3786
Published
2019-04-24T16:29:01Z
Modified
2024-09-03T02:51:33.924843Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N CVSS Calculator
Summary
[none]
Details

Cloud Foundry BOSH Backup and Restore CLI, all versions prior to 1.5.0, does not check the authenticity of backup scripts in BOSH. A remote authenticated malicious user can modify the metadata file of a Bosh Backup and Restore job to request extra backup files from different jobs upon restore. The exploited hooks in this metadata script were only maintained in the cfcr-etcd-release, so clusters deployed with the BBR job for etcd in this release are vulnerable.

References

Affected packages

Git / github.com/cloudfoundry-incubator/bosh-backup-and-restore

Affected ranges

Type
GIT
Repo
https://github.com/cloudfoundry-incubator/bosh-backup-and-restore
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

1.*

1.0-beta.1.3

v0.*

v0.1.0-rc.219
v0.1.0-rc.220
v0.1.0-rc.221
v0.1.0-rc.222
v0.1.0-rc.223
v0.1.0-rc.224
v0.1.0-rc.225
v0.1.0-rc.226
v0.1.0-rc.227
v0.1.0-rc.228
v0.1.0-rc.229
v0.1.0-rc.230
v0.1.0-rc.231
v0.1.0-rc.232
v0.1.0-rc.233
v0.1.0-rc.234
v0.1.0-rc.235
v0.1.0-rc.236
v0.1.0-rc.237
v0.1.0-rc.238
v0.1.0-rc.239
v0.1.0-rc.240
v0.1.0-rc.241
v0.1.0-rc.242
v0.1.0-rc.243
v0.1.0-rc.244
v0.1.0-rc.245
v0.1.0-rc.246
v0.1.0-rc.247
v0.1.0-rc.248
v0.1.0-rc.249
v0.1.0-rc.250
v0.1.0-rc.251
v0.1.0-rc.252
v0.1.0-rc.253
v0.1.0-rc.254
v0.1.1-rc.11
v0.1.2

v1.*

v1.0.0
v1.0.0-beta.4
v1.1.0
v1.1.0-alpha
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.2.6
v1.2.7
v1.2.8
v1.3.0
v1.3.1
v1.3.2
v1.4.0