{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ASSIGNER":"secure@dell.com","DATE_PUBLIC":"2019-04-08T00:00:00.000Z","ID":"CVE-2019-3786","STATE":"PUBLIC","TITLE":"BBR could run arbitrary scripts on deployment VMs"},"source":{"discovery":"UNKNOWN"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"BOSH Backup and Restore","version":{"version_data":[{"affected":"<","version_name":"All","version_value":"v1.5.0"}]}}]},"vendor_name":"Cloud Foundry"}]}},"description":{"description_data":[{"lang":"eng","value":"Cloud Foundry BOSH Backup and Restore CLI, all versions prior to 1.5.0, does not check the authenticity of backup scripts in BOSH. A remote authenticated malicious user can modify the metadata file of a Bosh Backup and Restore job to request extra backup files from different jobs upon restore. The exploited hooks in this metadata script were only maintained in the cfcr-etcd-release, so clusters deployed with the BBR job for etcd in this release are vulnerable."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":null}]}]},"references":{"reference_data":[{"refsource":"CONFIRM","url":"https://www.cloudfoundry.org/blog/cve-2019-3786","name":"https://www.cloudfoundry.org/blog/cve-2019-3786"}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","version":"3.0"}}}
