Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 2 |
CVE-ID | CVE-2019-3902 CVE-2018-17983 |
CWE-ID | CWE-61 CWE-125 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
cflinuxfs3 Other software / Other software solutions |
Vendor | Cloud Foundry Foundation |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
EUVDB-ID: #VU29241
Risk: Medium
CVSSv3.1: 4 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-3902
CWE-ID:
CWE-61 - UNIX Symbolic Link (Symlink) Following
Exploit availability: No
DescriptionThe vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to a symlink following issue. A remote user can create a specially crafted symbolic link to and write files outside a repository.
MitigationInstall update from vendor's website.
Vulnerable software versionscflinuxfs3: 0.0.0 - 0.260.0
External linkshttp://github.com/cloudfoundry/cflinuxfs3/releases/tag/0.261.0
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU15317
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-17983
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to obtain potentially sensitive information or cause DoS condition on the target system.
The vulnerability exists in the cext/manifest.c file due to improper parsing of manifest entries. A remote attacker can send a manifest entry that submits malicious input, trigger an out-of-bounds read condition to access sensitive information or cause a denial of service (DoS) condition.
MitigationInstall update from vendor's website.
Vulnerable software versionscflinuxfs3: 0.0.0 - 0.260.0
External linkshttp://github.com/cloudfoundry/cflinuxfs3/releases/tag/0.261.0
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.