Cloud Foundry Foundation cflinuxfs3 update for Git



Published: 2022-10-27 | Updated: 2023-05-29
Risk High
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2020-16156
CVE-2022-39253
CVE-2022-39260
CWE-ID CWE-347
CWE-20
CWE-122
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #2 is available.
Vulnerable software
Subscribe
cflinuxfs3
Other software / Other software solutions

Vendor Cloud Foundry Foundation

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Improper Verification of Cryptographic Signature

EUVDB-ID: #VU68606

Risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-16156

CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to incorrect processing of signed code. A remote attacker trick the victim into downloading a malicious file, bypass signature verification procedure and compromise the affected system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

cflinuxfs3: before 0.329.0

External links

http://github.com/cloudfoundry/cflinuxfs3/releases/tag/0.329.0


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Input validation error

EUVDB-ID: #VU68517

Risk: Low

CVSSv3.1: 2.8 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2022-39253

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to the way Git handles hardlinks when performing a local clone. A remote attacker can trick the victim into clocking a malicious repository and create or copy hardlinks to critical files on the system, which can result in sensitive information exposure.

Mitigation

Install update from vendor's website.

Vulnerable software versions

cflinuxfs3: before 0.329.0

External links

http://github.com/cloudfoundry/cflinuxfs3/releases/tag/0.329.0


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Heap-based buffer overflow

EUVDB-ID: #VU68518

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-39260

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the "git shell" command when handling untrusted input. A remote attacker can trick the victim to execute the affected command against a malicious repository, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

cflinuxfs3: before 0.329.0

External links

http://github.com/cloudfoundry/cflinuxfs3/releases/tag/0.329.0


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###