Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2017-4970

An issue was discovered in Cloud Foundry Foundation cf-release v255 and Staticfile buildpack versions v1.4.0 - v1.4.3. A regression introduced in the Static file build pack causes the Staticfile.auth configuration to be ignored when the Static file file is not present in the application root. Applications containing a Staticfile.auth file but not a Static file had their basic auth turned off when an operator upgraded the Static file build pack in the foundation to one of the vulnerable versions. Note that Static file applications without a Static file are technically misconfigured, and will not successfully detect unless the Static file build pack is explicitly specified.

Published

2017-06-13T06:29:00.567

Last Modified

2025-04-20T01:37:25.860

Status

Deferred

Source

[email protected]

Severity

CVSSv3.0: 5.9 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	cloudfoundry	cf-release	255	Yes
Application	cloudfoundry	staticfile_buildpack	1.4.0	Yes
Application	cloudfoundry	staticfile_buildpack	1.4.1	Yes
Application	cloudfoundry	staticfile_buildpack	1.4.2	Yes
Application	cloudfoundry	staticfile_buildpack	1.4.3	Yes

References

https://www.cloudfoundry.org/cve-2017-4970/ Mitigation, Vendor Advisory ([email protected])
https://www.cloudfoundry.org/cve-2017-4970/ Mitigation, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)