{"id":"CVE-2019-3785","details":"Cloud Foundry Cloud Controller, versions prior to 1.78.0, contain an endpoint with improper authorization. A remote authenticated malicious user with read permissions can request package information and receive a signed bit-service url that grants the user write permissions to the bit-service.","modified":"2026-04-10T04:18:05.171338Z","published":"2019-03-13T21:29:00.493Z","references":[{"type":"ADVISORY","url":"https://www.cloudfoundry.org/blog/cve-2019-3785"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/107514"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cloudfoundry/capi-release","events":[{"introduced":"0"},{"fixed":"d1bf206662d9c807603e3d90e5b32ee6b7834643"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.78.0"}]}}],"versions":["1.0.0","1.1.0","1.10.0","1.11.0","1.12.0","1.13.0","1.14.0","1.15.0","1.16.0","1.19.0","1.2.0","1.20.0","1.21.0","1.22.0","1.23.0","1.24.0","1.25.0","1.26.0","1.27.0","1.28.0","1.3.0","1.30.0","1.31.0","1.32.0","1.33.0","1.34.0","1.35.0","1.36.0","1.38.0","1.4.0","1.40.0","1.41.0","1.42.0","1.46.0","1.47.0","1.49.0","1.5.0","1.50.0","1.51.0","1.52.0","1.53.0","1.55.0","1.57.0","1.58.0","1.59.0","1.6.0","1.62.0","1.63.0","1.64.0","1.65.0","1.66.0","1.67.0","1.69.0","1.7.0","1.70.0","1.72.0","1.74.0","1.75.0","1.76.0","1.77.0","1.8.0","1.9.0","list","v1.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-3785.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"}]}