CVE-2017-4970: Static file buildpack ignores basic authentication when misconfigured

Molly Crowther

Please see the following CVE (also available at

To always be up to date with OSS Cloud Foundry CVE notices, please check
out the #security channel in the Cloud Foundry slack or subscribe to in your favorite feed

Molly Crowther
CFF Security Team

April 10, 2017
CVE-2017-4970: Staticfile buildpack ignores basic authentication when


Cloud Foundry Foundation
Versions Affected

- cf-release v255
- Staticfile buildpack versions v1.4.0 – v1.4.3


A regression introduced in the Staticfile buildpack causes the
Staticfile.auth configuration to be ignored when the Staticfile file is not
present in the application root. Applications containing a Staticfile.auth file
but not a Staticfile had their basic auth turned off when an operator
upgraded the Staticfile buildpack in the foundation to one of the
vulnerable versions. Note that Staticfile applications without a Staticfile are
technically misconfigured, and will not successfully detect unless the
Staticfile buildpack is explicitly specified.

OSS users are strongly encouraged to follow one of the mitigations below:

- For existing deployments, upgrade the Staticfile Buildpack to v1.4.4
or later [1] and restage all applications that use the Staticfile Buildpack.
- Upgrade to cf-release v256 [2] when available.


- [1]
- [2]


2017-04-10: Updated mitigation to apply to all apps using the Staticfile
buildpack instead of just apps with detection

2017-04-10: Initial vulnerability report published

Join to automatically receive all group messages.