Search criteria
6 vulnerabilities found for cloud_foundry_notifications by pivotal
FKIE_CVE-2023-20885
Vulnerability from fkie_nvd - Published: 2023-06-16 13:15 - Updated: 2024-12-16 20:15
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Vulnerability in Cloud Foundry Notifications, Cloud Foundry SMB-volume release, Cloud FOundry cf-nfs-volume release.This issue affects Notifications: All versions prior to 63; SMB-volume release: All versions prior to 3.1.19; cf-nfs-volume release: 5.0.X versions prior to 5.0.27, 7.1.X versions prior to 7.1.19.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pivotal | cloud_foundry_nfs_volume | * | |
| pivotal | cloud_foundry_nfs_volume | * | |
| pivotal | cloud_foundry_notifications | * | |
| pivotal | cloud_foundry_smb_volume | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal:cloud_foundry_nfs_volume:*:*:*:*:*:*:*:*",
"matchCriteriaId": "708A44E3-874B-4A4F-9B91-432E7D4131BB",
"versionEndExcluding": "5.0.27",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal:cloud_foundry_nfs_volume:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4887C1A5-6FD4-49C3-A33E-01BD57C785F5",
"versionEndExcluding": "7.1.19",
"versionStartIncluding": "7.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal:cloud_foundry_notifications:*:*:*:*:*:*:*:*",
"matchCriteriaId": "17581E39-7468-41C0-A0F3-8247B35F36C9",
"versionEndExcluding": "63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal:cloud_foundry_smb_volume:*:*:*:*:*:*:*:*",
"matchCriteriaId": "14458EC9-C02D-4DB8-A93E-87C1057F0AA8",
"versionEndExcluding": "3.1.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in Cloud Foundry Notifications, Cloud Foundry SMB-volume release, Cloud FOundry cf-nfs-volume release.This issue affects Notifications: All versions prior to 63; SMB-volume release: All versions prior to 3.1.19; cf-nfs-volume release: 5.0.X versions prior to 5.0.27, 7.1.X versions prior to 7.1.19.\n\n"
}
],
"id": "CVE-2023-20885",
"lastModified": "2024-12-16T20:15:06.557",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security@vmware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-16T13:15:09.463",
"references": [
{
"source": "security@vmware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.cloudfoundry.org/blog/cve-2023-20885-cf-workflows-leak-credentials-in-system-audit-logs/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.cloudfoundry.org/blog/cve-2023-20885-cf-workflows-leak-credentials-in-system-audit-logs/"
}
],
"sourceIdentifier": "security@vmware.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-532"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-532"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2019-3800
Vulnerability from fkie_nvd - Published: 2019-08-05 17:15 - Updated: 2024-11-21 04:42
Severity ?
6.3 (Medium) - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
7.8 (High) - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal:cloud_foundry_command_line_interface:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D4FD32DF-0EF0-4CDA-992A-FFD404A05AB2",
"versionEndExcluding": "6.45.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal:cloud_foundry_command_line_interface_release:*:*:*:*:*:*:*:*",
"matchCriteriaId": "04F8E5C0-449F-4E58-9113-A95D0A5E4F86",
"versionEndExcluding": "1.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal:cloud_foundry_deployment:*:*:*:*:*:*:*:*",
"matchCriteriaId": "13D840EB-A220-4C25-8B72-3506ADB08A7E",
"versionEndExcluding": "10.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal:cloud_foundry_deployment_concourse_tasks:*:*:*:*:*:*:*:*",
"matchCriteriaId": "90B6B206-94FC-4C78-9934-671FD9F48899",
"versionEndExcluding": "9.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal:cloud_foundry_log_cache_release:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6FC091EB-B582-4AA6-8C03-AC22248446EB",
"versionEndExcluding": "2.3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal:cloud_foundry_networking_release:*:*:*:*:*:*:*:*",
"matchCriteriaId": "652F9F32-36BA-4746-B1E4-8349E90EFD13",
"versionEndExcluding": "2.23.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal:cloud_foundry_notifications:*:*:*:*:*:*:*:*",
"matchCriteriaId": "949C15FF-9BBC-4505-AE49-D6846A2B6EEB",
"versionEndExcluding": "58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal:cloud_foundry_routing_release:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6BD6293D-319B-4F5B-A53E-45327F874782",
"versionEndExcluding": "0.189.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal:cloud_foundry_smoke_test:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B0CC085B-863D-49F7-BDC6-000E0DFCF28B",
"versionEndExcluding": "40.0.113",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal:application_service:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DCA35BC9-394D-4ABB-9DA5-C167945D1A13",
"versionEndExcluding": "2.3.14",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal:application_service:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5B921F25-9042-4FBD-B739-1EA2FE65DC94",
"versionEndExcluding": "2.4.10",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal:application_service:*:*:*:*:*:*:*:*",
"matchCriteriaId": "30EDADC2-4D9D-4271-BEAF-7CF3A3C0DB74",
"versionEndExcluding": "2.5.6",
"versionStartIncluding": "2.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal:cloud_foundry_autoscaling_release:*:*:*:*:*:*:*:*",
"matchCriteriaId": "91C32CE6-5C18-40E9-9608-D15BB4E24788",
"versionEndExcluding": "219",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal:cloud_foundry_event_alerts:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DA2B204A-4EA4-44A3-B27B-3336D1A9FBFB",
"versionEndExcluding": "1.2.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal:cloud_foundry_healthwatch:*:*:*:*:*:*:*:*",
"matchCriteriaId": "71BC43B2-F5C3-4AFD-990F-19D364F7781E",
"versionEndExcluding": "1.4.7",
"versionStartIncluding": "1.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal:cloud_foundry_healthwatch:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ED64D8C0-E124-459B-A377-71CEFF182DFD",
"versionEndExcluding": "1.5.4",
"versionStartIncluding": "1.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal:credhub_service_broker_for_pcf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EB1AAA37-B13F-4DBE-B2C0-3A0410C9DD3A",
"versionEndExcluding": "1.3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal:metric_registrar_release:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B072EBB3-FED0-4468-A9E8-5B6E2B329D3A",
"versionEndExcluding": "1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal:on_demand_service_broker:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DA8C62A2-4B4C-40D8-8E64-6B5BC06D93BD",
"versionEndExcluding": "0.29.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal:pivotal_cloud_foundry_service_broker:*:*:*:*:*:aws:*:*",
"matchCriteriaId": "6BCC700B-731F-42F6-9675-59C3AFC4DF33",
"versionEndExcluding": "1.4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal:single_sign-on:*:*:*:*:*:cloud_foundry:*:*",
"matchCriteriaId": "94632FE3-6B3C-43A6-9DC7-166A7CC909F5",
"versionEndExcluding": "1.7.5",
"versionStartIncluding": "1.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal:single_sign-on:*:*:*:*:*:cloud_foundry:*:*",
"matchCriteriaId": "7862820E-B6FD-4820-BB47-2983D7465BC4",
"versionEndExcluding": "1.8.4",
"versionStartIncluding": "1.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal:single_sign-on:*:*:*:*:*:cloud_foundry:*:*",
"matchCriteriaId": "CF89202E-09F7-4311-A667-3CBD066156D4",
"versionEndExcluding": "1.9.1",
"versionStartIncluding": "1.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:anynines:elasticsearch:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "8CDB4E4C-A0C8-4335-8EE3-1A15876CB32D",
"versionEndExcluding": "2.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:anynines:logme:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "E23C5203-CEBC-4E0A-AC84-2AC8E1568F71",
"versionEndExcluding": "2.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:anynines:mongodb:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "2AB2AFD4-8989-4A6E-9D4B-631D53CFE0D6",
"versionEndExcluding": "2.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:anynines:mysql:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "9CCC2276-21BD-46EF-8AFD-42E5067448F0",
"versionEndExcluding": "2.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:anynines:postgresql:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "A304D180-9C7F-4748-B891-56B4913ED853",
"versionEndExcluding": "2.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:anynines:rabbitmq:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "1CA8DFF1-40F0-4311-BA6E-ACEB67F58622",
"versionEndExcluding": "2.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:anynines:redis:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "E002C51E-F5ED-4232-B756-995ABEED1DC2",
"versionEndExcluding": "2.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apigee:edge_service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "0438F2AA-B66E-4AE8-AACC-8D7FF57F18D7",
"versionEndExcluding": "3.1.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:appdynamics:application_analytics:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "D53361F1-DE54-4808-B1B5-56149BABD9DA",
"versionEndExcluding": "4.7.652",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:appdynamics:application_performance_monitoring:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "44473CD4-1DF6-48EF-B317-12BD36BFF420",
"versionEndExcluding": "4.6.64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:appdynamics:platform_montioring:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "4DD01FBD-0F69-4793-8343-E5B735171C9B",
"versionEndExcluding": "4.7.712",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bluemedora:nozzle:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "ACA4480D-2A59-4DA8-A144-7EB97A570BFF",
"versionEndExcluding": "3.1.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:contrastsecurity:service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "AEC4F727-7085-4C7C-A0A8-EC77E0C6E89F",
"versionEndExcluding": "2.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cyberark:conjur_service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "CF0261DA-818C-46D5-93F6-AB77154C47F1",
"versionEndExcluding": "1.1.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:datadoghq:application_monitoring:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "32C06495-7CB3-4FF5-AA1F-5F2882FD5206",
"versionEndExcluding": "1.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:datastax:enterprise_service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "AEF84CBA-E099-41AD-8B3C-D3603C409810",
"versionEndExcluding": "1.0.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dynatrace:service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "16849497-DD68-4C1B-BFCB-91904F2F36B5",
"versionEndExcluding": "1.4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "E996866D-CEE3-4C0C-9011-A62BC94C4ECF",
"versionEndExcluding": "2.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:google_cloud_platform_service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "C1F611B8-B347-4AEF-9479-80C8AC8457E1",
"versionEndExcluding": "4.2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:websphere_liberty_:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "F9339579-1F54-4065-B5A8-C51EA9D5CF6E",
"versionEndExcluding": "3.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:azure_log_analytics_nozzle:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "4F38E12C-5675-4290-BE46-11F2768AABF1",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:azure_service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "BE11B12D-E020-4411-A85E-589F813894E7",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:newrelic:dotnet_extension_buildpack:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "F861138B-93A0-4E61-9205-B1505AD02C1D",
"versionEndExcluding": "1.1.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:newrelic:nozzle:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "5EE16E5F-6078-4293-B0F1-020D6AF79105",
"versionEndExcluding": "1.1.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:newrelic:service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "436B6156-3CFA-42E8-8B8D-A142B43E1680",
"versionEndExcluding": "1.12.64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pagerduty:service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "9D1ACC13-1833-44B9-9629-6E149A61395A",
"versionEndExcluding": "1.2.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:riverbed:steelcentral_appinternals:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "CCE2DA38-E945-41EE-A11E-C0B23BCFB89C",
"versionEndExcluding": "10.21.1-bl516",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:samba:volume_service:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "BEF05596-F907-4DF6-BB67-69A6171C53A0",
"versionEndExcluding": "1.1.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:signalsciences:service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "6F399A62-9A6F-442B-AB45-7C0BE9F5B5AF",
"versionEndExcluding": "1.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:snyk:service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "40D76AE1-283E-457F-B7B4-3DB57A1ED4F8",
"versionEndExcluding": "1.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:solace:pubsub\\+:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "74F25242-39A9-4FB0-9929-07D27C67606A",
"versionEndExcluding": "2.3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:nozzle:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "77591548-6E7E-414F-B4BE-14399AE18CE4",
"versionEndExcluding": "1.1.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sumologic:nozzle:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "AA182A4D-BB7B-4EC1-B764-B74BC56D4D7E",
"versionEndExcluding": "1.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synopsys:seeker_iast_service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "65756938-5D6D-431A-93BD-107604C196EB",
"versionEndExcluding": "1.2.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tibco:businessworks_buildpack:*:*:*:*:container:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "1807AAE6-8F92-4A21-8836-D3C61DC58B54",
"versionEndExcluding": "2.4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wavefront:wavefront_by_vmware_nozzle:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "66C6C1F0-17EC-47CD-BF12-30F5F6B60BF3",
"versionEndExcluding": "1.0.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:yugabyte:db_enterprise:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "78C34123-DE82-42BB-BD94-A8311E32A040",
"versionEndExcluding": "1.1.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials."
},
{
"lang": "es",
"value": "La CLI de CF anterior a versi\u00f3n v6.45.0 (versi\u00f3n de lanzamiento bosh 1.16.0), escribe el id y el secreto del cliente hacia su archivo de configuraci\u00f3n cuando el usuario se autentica con el flag --client-credentials. Un usuario malicioso autenticado local con acceso al archivo de configuraci\u00f3n de la CLI de CF puede actuar como ese cliente, quien es el propietario de las credenciales filtradas."
}
],
"id": "CVE-2019-3800",
"lastModified": "2024-11-21T04:42:33.957",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.0"
},
"exploitabilityScore": 2.0,
"impactScore": 3.7,
"source": "security_alert@emc.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-05T17:15:10.960",
"references": [
{
"source": "security_alert@emc.com",
"tags": [
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2019-3800"
},
{
"source": "security_alert@emc.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.cloudfoundry.org/blog/cve-2019-3800"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2019-3800"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.cloudfoundry.org/blog/cve-2019-3800"
}
],
"sourceIdentifier": "security_alert@emc.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "security_alert@emc.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2023-20885 (GCVE-0-2023-20885)
Vulnerability from cvelistv5 – Published: 2023-06-16 12:18 – Updated: 2024-12-16 20:05
VLAI?
Title
CF workflows leak credentials in system audit logs
Summary
Vulnerability in Cloud Foundry Notifications, Cloud Foundry SMB-volume release, Cloud FOundry cf-nfs-volume release.This issue affects Notifications: All versions prior to 63; SMB-volume release: All versions prior to 3.1.19; cf-nfs-volume release: 5.0.X versions prior to 5.0.27, 7.1.X versions prior to 7.1.19.
Severity ?
6.5 (Medium)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Cloud Foundry | Notifications |
Affected:
All versions prior to 63
|
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T09:21:33.133Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cloudfoundry.org/blog/cve-2023-20885-cf-workflows-leak-credentials-in-system-audit-logs/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-20885",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-16T20:04:33.907955Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T20:05:19.504Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": " Notifications",
"vendor": "Cloud Foundry",
"versions": [
{
"status": "affected",
"version": "All versions prior to 63"
}
]
},
{
"defaultStatus": "unaffected",
"product": "SMB-volume release",
"vendor": "Cloud Foundry",
"versions": [
{
"status": "affected",
"version": "All versions prior to 3.1.19"
}
]
},
{
"defaultStatus": "unaffected",
"product": "cf-nfs-volume release",
"vendor": "Cloud FOundry",
"versions": [
{
"status": "affected",
"version": "5.0.x versions prior to 5.0.27"
},
{
"status": "affected",
"version": "7.1.x versions prior to 7.1.19"
}
]
}
],
"datePublic": "2023-06-15T14:58:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vulnerability in Cloud Foundry Notifications, Cloud Foundry SMB-volume release, Cloud FOundry cf-nfs-volume release.\u003cp\u003eThis issue affects Notifications: All versions prior to 63; SMB-volume release: All versions prior to 3.1.19; cf-nfs-volume release: 5.0.X versions prior to 5.0.27, 7.1.X versions prior to 7.1.19.\u003c/p\u003e"
}
],
"value": "Vulnerability in Cloud Foundry Notifications, Cloud Foundry SMB-volume release, Cloud FOundry cf-nfs-volume release.This issue affects Notifications: All versions prior to 63; SMB-volume release: All versions prior to 3.1.19; cf-nfs-volume release: 5.0.X versions prior to 5.0.27, 7.1.X versions prior to 7.1.19.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-16T12:19:17.758Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://www.cloudfoundry.org/blog/cve-2023-20885-cf-workflows-leak-credentials-in-system-audit-logs/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CF workflows leak credentials in system audit logs",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2023-20885",
"datePublished": "2023-06-16T12:18:35.886Z",
"dateReserved": "2022-11-01T15:41:50.393Z",
"dateUpdated": "2024-12-16T20:05:19.504Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-3800 (GCVE-0-2019-3800)
Vulnerability from cvelistv5 – Published: 2019-08-05 16:38 – Updated: 2024-09-17 04:29
VLAI?
Title
CF CLI writes the client id and secret to config file
Summary
CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials.
Severity ?
6.3 (Medium)
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Cloud Foundry | CF CLI Release |
Affected:
v1.x before v1.16.0
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:19:18.463Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.cloudfoundry.org/blog/cve-2019-3800"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2019-3800"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CF CLI Release",
"vendor": "Cloud Foundry",
"versions": [
{
"status": "affected",
"version": "v1.x before v1.16.0"
}
]
},
{
"product": "CF CLI",
"vendor": "Cloud Foundry",
"versions": [
{
"status": "affected",
"version": "versions prior to v6.45.0"
}
]
}
],
"datePublic": "2019-07-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522: Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-05T16:38:20",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.cloudfoundry.org/blog/cve-2019-3800"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2019-3800"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CF CLI writes the client id and secret to config file",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"DATE_PUBLIC": "2019-07-18T00:00:00.000Z",
"ID": "CVE-2019-3800",
"STATE": "PUBLIC",
"TITLE": "CF CLI writes the client id and secret to config file"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CF CLI Release",
"version": {
"version_data": [
{
"version_value": "v1.x before v1.16.0"
}
]
}
},
{
"product_name": "CF CLI",
"version": {
"version_data": [
{
"version_value": "versions prior to v6.45.0"
}
]
}
}
]
},
"vendor_name": "Cloud Foundry"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-522: Insufficiently Protected Credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cloudfoundry.org/blog/cve-2019-3800",
"refsource": "CONFIRM",
"url": "https://www.cloudfoundry.org/blog/cve-2019-3800"
},
{
"name": "https://pivotal.io/security/cve-2019-3800",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2019-3800"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2019-3800",
"datePublished": "2019-08-05T16:38:20.424541Z",
"dateReserved": "2019-01-03T00:00:00",
"dateUpdated": "2024-09-17T04:29:08.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-20885 (GCVE-0-2023-20885)
Vulnerability from nvd – Published: 2023-06-16 12:18 – Updated: 2024-12-16 20:05
VLAI?
Title
CF workflows leak credentials in system audit logs
Summary
Vulnerability in Cloud Foundry Notifications, Cloud Foundry SMB-volume release, Cloud FOundry cf-nfs-volume release.This issue affects Notifications: All versions prior to 63; SMB-volume release: All versions prior to 3.1.19; cf-nfs-volume release: 5.0.X versions prior to 5.0.27, 7.1.X versions prior to 7.1.19.
Severity ?
6.5 (Medium)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Cloud Foundry | Notifications |
Affected:
All versions prior to 63
|
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T09:21:33.133Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cloudfoundry.org/blog/cve-2023-20885-cf-workflows-leak-credentials-in-system-audit-logs/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-20885",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-16T20:04:33.907955Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T20:05:19.504Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": " Notifications",
"vendor": "Cloud Foundry",
"versions": [
{
"status": "affected",
"version": "All versions prior to 63"
}
]
},
{
"defaultStatus": "unaffected",
"product": "SMB-volume release",
"vendor": "Cloud Foundry",
"versions": [
{
"status": "affected",
"version": "All versions prior to 3.1.19"
}
]
},
{
"defaultStatus": "unaffected",
"product": "cf-nfs-volume release",
"vendor": "Cloud FOundry",
"versions": [
{
"status": "affected",
"version": "5.0.x versions prior to 5.0.27"
},
{
"status": "affected",
"version": "7.1.x versions prior to 7.1.19"
}
]
}
],
"datePublic": "2023-06-15T14:58:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vulnerability in Cloud Foundry Notifications, Cloud Foundry SMB-volume release, Cloud FOundry cf-nfs-volume release.\u003cp\u003eThis issue affects Notifications: All versions prior to 63; SMB-volume release: All versions prior to 3.1.19; cf-nfs-volume release: 5.0.X versions prior to 5.0.27, 7.1.X versions prior to 7.1.19.\u003c/p\u003e"
}
],
"value": "Vulnerability in Cloud Foundry Notifications, Cloud Foundry SMB-volume release, Cloud FOundry cf-nfs-volume release.This issue affects Notifications: All versions prior to 63; SMB-volume release: All versions prior to 3.1.19; cf-nfs-volume release: 5.0.X versions prior to 5.0.27, 7.1.X versions prior to 7.1.19.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-16T12:19:17.758Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://www.cloudfoundry.org/blog/cve-2023-20885-cf-workflows-leak-credentials-in-system-audit-logs/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CF workflows leak credentials in system audit logs",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2023-20885",
"datePublished": "2023-06-16T12:18:35.886Z",
"dateReserved": "2022-11-01T15:41:50.393Z",
"dateUpdated": "2024-12-16T20:05:19.504Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-3800 (GCVE-0-2019-3800)
Vulnerability from nvd – Published: 2019-08-05 16:38 – Updated: 2024-09-17 04:29
VLAI?
Title
CF CLI writes the client id and secret to config file
Summary
CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials.
Severity ?
6.3 (Medium)
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Cloud Foundry | CF CLI Release |
Affected:
v1.x before v1.16.0
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:19:18.463Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.cloudfoundry.org/blog/cve-2019-3800"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2019-3800"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CF CLI Release",
"vendor": "Cloud Foundry",
"versions": [
{
"status": "affected",
"version": "v1.x before v1.16.0"
}
]
},
{
"product": "CF CLI",
"vendor": "Cloud Foundry",
"versions": [
{
"status": "affected",
"version": "versions prior to v6.45.0"
}
]
}
],
"datePublic": "2019-07-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522: Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-05T16:38:20",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.cloudfoundry.org/blog/cve-2019-3800"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2019-3800"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CF CLI writes the client id and secret to config file",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"DATE_PUBLIC": "2019-07-18T00:00:00.000Z",
"ID": "CVE-2019-3800",
"STATE": "PUBLIC",
"TITLE": "CF CLI writes the client id and secret to config file"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CF CLI Release",
"version": {
"version_data": [
{
"version_value": "v1.x before v1.16.0"
}
]
}
},
{
"product_name": "CF CLI",
"version": {
"version_data": [
{
"version_value": "versions prior to v6.45.0"
}
]
}
}
]
},
"vendor_name": "Cloud Foundry"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-522: Insufficiently Protected Credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cloudfoundry.org/blog/cve-2019-3800",
"refsource": "CONFIRM",
"url": "https://www.cloudfoundry.org/blog/cve-2019-3800"
},
{
"name": "https://pivotal.io/security/cve-2019-3800",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2019-3800"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2019-3800",
"datePublished": "2019-08-05T16:38:20.424541Z",
"dateReserved": "2019-01-03T00:00:00",
"dateUpdated": "2024-09-17T04:29:08.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}