CVE-2019-3784

Cloud Foundry Stratos, versions prior to 2.3.0, contains an insecure session that can be spoofed. When deployed on cloud foundry with multiple instances using the default embedded SQLite database, a remote authenticated malicious user can switch sessions to another user with the same session id.

Published : 2019-03-07 18:29 Updated : 2019-10-09 23:49

4.0
CVSS Score More info
Score 4.0 / 10
4.0
Vendor Product Version URI
Cloudfoundry Stratos 0.9.0 cpe:/a:cloudfoundry:stratos:0.9.0
Cloudfoundry Stratos 0.9.1 cpe:/a:cloudfoundry:stratos:0.9.1
Cloudfoundry Stratos 0.9.2 cpe:/a:cloudfoundry:stratos:0.9.2
Cloudfoundry Stratos 0.9.5 cpe:/a:cloudfoundry:stratos:0.9.5
Cloudfoundry Stratos 0.9.6 cpe:/a:cloudfoundry:stratos:0.9.6
Cloudfoundry Stratos 0.9.7 cpe:/a:cloudfoundry:stratos:0.9.7
Cloudfoundry Stratos 0.9.8 cpe:/a:cloudfoundry:stratos:0.9.8
Cloudfoundry Stratos 0.9.9 cpe:/a:cloudfoundry:stratos:0.9.9
Cloudfoundry Stratos 1.0.0 cpe:/a:cloudfoundry:stratos:1.0.0
Cloudfoundry Stratos 1.0.2 cpe:/a:cloudfoundry:stratos:1.0.2
Cloudfoundry Stratos 1.1.0 cpe:/a:cloudfoundry:stratos:1.1.0
Cloudfoundry Stratos 2.0.0 cpe:/a:cloudfoundry:stratos:2.0.0:-
Cloudfoundry Stratos 2.0.0 cpe:/a:cloudfoundry:stratos:2.0.0:beta-001
Cloudfoundry Stratos 2.0.0 cpe:/a:cloudfoundry:stratos:2.0.0:beta-002
Cloudfoundry Stratos 2.0.0 cpe:/a:cloudfoundry:stratos:2.0.0:rc1
Cloudfoundry Stratos 2.0.0 cpe:/a:cloudfoundry:stratos:2.0.0:rc2
Cloudfoundry Stratos 2.0.0 cpe:/a:cloudfoundry:stratos:2.0.0:rc3
Cloudfoundry Stratos 2.0.1 cpe:/a:cloudfoundry:stratos:2.0.1
Cloudfoundry Stratos 2.1.0 cpe:/a:cloudfoundry:stratos:2.1.0
Cloudfoundry Stratos 2.1.0-3 cpe:/a:cloudfoundry:stratos:2.1.0-3
Cloudfoundry Stratos 2.1.1 cpe:/a:cloudfoundry:stratos:2.1.1
Cloudfoundry Stratos 2.1.1-1 cpe:/a:cloudfoundry:stratos:2.1.1-1
Cloudfoundry Stratos 2.1.1-2 cpe:/a:cloudfoundry:stratos:2.1.1-2
Cloudfoundry Stratos 2.1.1-3 cpe:/a:cloudfoundry:stratos:2.1.1-3
Cloudfoundry Stratos 2.1.1-4 cpe:/a:cloudfoundry:stratos:2.1.1-4
Cloudfoundry Stratos 2.1.1-5 cpe:/a:cloudfoundry:stratos:2.1.1-5
Cloudfoundry Stratos 2.1.1-6 cpe:/a:cloudfoundry:stratos:2.1.1-6
Cloudfoundry Stratos 2.1.2 cpe:/a:cloudfoundry:stratos:2.1.2
Cloudfoundry Stratos 2.2.0 cpe:/a:cloudfoundry:stratos:2.2.0
Cloudfoundry Stratos 2.2.0-3 cpe:/a:cloudfoundry:stratos:2.2.0-3
Cloudfoundry Stratos 2.2.0-4 cpe:/a:cloudfoundry:stratos:2.2.0-4
Cloudfoundry Stratos 2.2.0-5 cpe:/a:cloudfoundry:stratos:2.2.0-5
  1. Cloudfoundry (1) Search CVE
    1. Stratos (27) Search CVE
      1. 0.9.0
      2. 0.9.1
      3. 0.9.2
      4. 0.9.5
      5. 0.9.6
      6. 0.9.7
      7. 0.9.8
      8. 0.9.9
      9. 1.0.0
      10. 1.0.2
      11. 1.1.0
      12. 2.0.0
      13. 2.0.1
      14. 2.1.0
      15. 2.1.0-3
      16. 2.1.1
      17. 2.1.1-1
      18. 2.1.1-2
      19. 2.1.1-3
      20. 2.1.1-4
      21. 2.1.1-5
      22. 2.1.1-6
      23. 2.1.2
      24. 2.2.0
      25. 2.2.0-3
      26. 2.2.0-4
      27. 2.2.0-5

CWE

ID Name Description Links
CWE-384 Session Fixation Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. CVE

Reference

History of changes

Date Event
2019-10-09 23:49
2019-03-07 19:34
2019-03-07 18:29

New CVE