CVE-2019-3801: Java Projects using HTTP to fetch dependencies
Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the component.
Affected VMware Products and Versions
Severity is high unless otherwise noted.
- Pivotal Application Service 2.x versions prior to 2.3.0
Users of affected versions should apply the following mitigation:
- Releases that have fixed this issue include:
- Pivotal Application Service: 2.3.0 and higher
2019-04-25: Initial vulnerability report published