CVE-2017-4970: Staticfile buildpack ignores basic authentication when misconfigured
Cloud Foundry Foundation
- cf-release v255
- Staticfile buildpack versions v1.4.0 – v1.4.3
A regression introduced in the Staticfile buildpack causes the
Staticfile.auth configuration to be ignored when the
Staticfile file is not present in the application root. Applications containing a
Staticfile.auth file but not a
Staticfile had their basic auth turned off when an operator upgraded the Staticfile buildpack in the foundation to one of the vulnerable versions. Note that Staticfile applications without a
Staticfile are technically misconfigured, and will not successfully detect unless the Staticfile buildpack is explicitly specified.
OSS users are strongly encouraged to follow one of the mitigations below:
- For existing deployments, upgrade the Staticfile Buildpack to v1.4.4 or later  and restage all applications that use the Staticfile Buildpack.
- Upgrade to cf-release v256  when available.
-  https://github.com/cloudfoundry/staticfile-buildpack/releases
-  https://github.com/cloudfoundry/cf-release/releases
2017-04-10: Updated mitigation to apply to all apps using the Staticfile buildpack instead of just apps with detection
2017-04-10: Initial vulnerability report published