Vulnerabilities > CVE-2019-3783 - Insecure Default Initialization of Resource vulnerability in Cloudfoundry Stratos

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

cloudfoundry

CWE-1188

NVD

Published: 2019-03-07

Updated: 2020-10-19

Summary

Cloud Foundry Stratos, versions prior to 2.3.0, deploys with a public default session store secret. A malicious user with default session store secret can brute force another user's current Stratos session, and act on behalf of that user.

Vulnerable Configurations

Part	Description	Count
Application	Cloudfoundry Cloudfoundry Stratos 0.9.0 Cloudfoundry Stratos 0.9.1 Cloudfoundry Stratos 0.9.2 Cloudfoundry Stratos 0.9.5 Cloudfoundry Stratos 0.9.6 Cloudfoundry Stratos 0.9.7 Cloudfoundry Stratos 0.9.8 Cloudfoundry Stratos 0.9.9 Cloudfoundry Stratos 1.0.0 Cloudfoundry Stratos 1.0.2 Cloudfoundry Stratos 1.1.0 Cloudfoundry Stratos 2.0.0 Cloudfoundry Stratos 2.0.1 Cloudfoundry Stratos 2.1.0 Cloudfoundry Stratos 2.1.0-3 Cloudfoundry Stratos 2.1.1 Cloudfoundry Stratos 2.1.1-1 Cloudfoundry Stratos 2.1.1-2 Cloudfoundry Stratos 2.1.1-3 Cloudfoundry Stratos 2.1.1-4 Cloudfoundry Stratos 2.1.1-5 Cloudfoundry Stratos 2.1.1-6 Cloudfoundry Stratos 2.1.2 Cloudfoundry Stratos 2.2.0 Cloudfoundry Stratos 2.2.0-3 Cloudfoundry Stratos 2.2.0-4 Cloudfoundry Stratos 2.2.0-5	32

Common Weakness Enumeration (CWE)

CWE-1188 - Insecure Default Initialization of Resource

References

https://www.cloudfoundry.org/blog/cve-2019-3783