cvelistv5 - cve-2019-3781

CVE-2019-3781 (GCVE-0-2019-3781)

Vulnerability from cvelistv5 – Published: 2019-03-07 19:00 – Updated: 2024-09-16 21:02

Summary

Cloud Foundry CLI, versions prior to v6.43.0, improperly exposes passwords when verbose/trace/debugging is turned on. A local unauthenticated or remote authenticated malicious user with access to logs may gain part or all of a users password.

Severity ?

8.2 (High)


                        
                          CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

CWE

CWE-215 - Information Exposure Through Debug Information

Assigner

dell

References

URL

	Vendor	Product	Version
	Cloud Foundry	CF CLI	Affected: All , < v6.43.0 (custom)

SUSE-SU-2019:1220-2

Vulnerability from csaf_suse - Published: 2019-07-02 08:32 - Updated: 2019-07-02 08:32

Summary

Security update for cf-cli

Notes

Title of the patch

Security update for cf-cli

Description of the patch

This update for cf-cli fixes the following issues: cf-cli was updated: to version 6.43.0 (bsc#1132242) Enhancements : - `cf curl` supports a new `--fail` flag (primarily for scripting purposes) which returns exit code `22` for server errors [story](https://www.pivotaltracker.com/story/show/130060949) - Improves `cf delete-orphaned-routes` such that it uses a different endpoint, reducing the chance of a race condition when two users are simultaneously deleting orphaned routes and associating routes with applications [story](https://www.pivotaltracker.com/story/show/163156064) - we've improved the speed of cf services - it now hits a single endpoint instead of making individual API calls Security: - CVE-2019-3781: CF CLI does not sanitize user’s password in verbose/trace/debug. - Fixes issue with running cf login in verbose mode whereby passwords which contains regex were not completely redacted - Fixes issue whilst running commands in verbose mode refresh tokens were not completely redacted Other Bug Fixes: - Updates help text for cf curlstory - Now refresh tokens work properly whilst using cf curl with V3 CC API endpoints story - Fixes performance degradation for cf services story - cf delete-service requires that you are targeting a space story - cf enable-service access for a service in an org will succeed if you have already enabled access for that service in that org story cf-cli was updated to version 6.42.0: Minor Enhancements: - updated `cf restage` help text and the first line in the command's output to indicate that using this command will cause app downtime [story](https://www.pivotaltracker.com/story/show/151841382) - updated the `cf bind-route-service` help text to clarify usage instructions [story](https://www.pivotaltracker.com/story/show/150111078) - improved an error message for `cf create-service-boker` to be more helpful when the CC API returns a `502` due to an invalid service broker catalog - upgraded to Golang 1.11.4 [story](https://www.pivotaltracker.com/story/show/162745359) - added a short name `ue` for `cf unset-env` [story](https://www.pivotaltracker.com/story/show/161632713) - updated `cf marketplace` command to include a new `broker` column to prepare for a upcoming services-related feature which will allow services to have the same name as long as they are associated with different service brokers [story](https://www.pivotaltracker.com/story/show/162699756) Bugs: - fix for `cf enable-service-access -p plan` whereby when we refactored the code in CLI `v6.41.0` it created service plan visibilities as part of a subsequent run of the command (the unrefactored code skipped creating the service plan visibilities); now the command will skip creating service plan visibilities as it did prior to the refactor [story](https://www.pivotaltracker.com/story/show/162747373) - updated the `cf rename-buildpack` help text which was missing reference to the `-s` stack flag [story](https://www.pivotaltracker.com/story/show/162428661) - updated help text for when users use `brew search cloudfoundry-cli` [story](https://www.pivotaltracker.com/story/show/161770940) - now when you run `cf service service-instance` for a route service, the route service url appears in the key value table [story](https://www.pivotaltracker.com/story/show/162498211) Update to version 6.41.0: Enhancements: - updated `cf --help` to include the `delete` command [story](https://www.pivotaltracker.com/story/show/161556511) Update to version 6.40.1: Bug Fixes: - Updates the minimum version for the buildpacks-stacks association feature. In [CLI v6.39.0](https://github.com/cloudfoundry/cli/releases/tag/v6.39.0), when the feature was released, we incorrectly set the minimum to cc api version as`2.114`. The minimum cc api version is now correctly set to [`2.112`](https://github.com/cloudfoundry/capi-release/releases/tag/1.58.0). [story](https://www.pivotaltracker.com/story/show/161464797) - Fixes a bug with inspecting a service instance `cf service service-instance`, now the `documentation` url displays correctly for services which populate that field [story](https://www.pivotaltracker.com/story/show/161251875) Update to version 6.40.0: Bug Fixes: - Fix bug where trailing slash on cf api would break listing commands for older CC APIs story. For older versions of CC API, if the API URL had a trailing slash, some requests would fail with an 'Unknown request' error. These requests are now handled properly. Update to version 6.39.0: Enhancements: - for users on cc api 3.27, cf start is enhanced to display the new cf app v3 output. For users on cc api 3.27 or lower, users will see the same v2 output. Note that if you use v3 commands to create and start your app, if you subsequently use cf stop and cf start, the routes property in cf app will not populate even though the route exists story - for users on cc api 3.27, cf restart is enhanced to display the new cf app v3 output. For users on cc api 3.27 or lower, users will see the same v2 output. story - for users on cc api 3.27, cf restage is enhanced to display the new cf app v3 output. For users on cc api 3.27 or lower, users will see the same v2 output. story - improved help text for -d domains for cf push to include examples of usage story - cf v3-scale displays additional app information story - if you've created an internal domain, and it is the first domain in cc, the CLI will now ignore the internal domain and instead choose the next non-internal domain when you push an app story Bug Fixes: - Fix for users on macOS attempting to brew install cf-cli the CF CLI using the unreleased master branch of Homebrew story - Fixes an issue whereby, due to a recent cc api change, when you execute cf push and watch the cf app command, the app display returned a 400 error story - Fixes a bug whereby if you logged in using client credentials, cf auth user pass --client credentials you were unable to create an org; now create-org will assign the role to the user id specified in your manifest story - fixes an issue introduced when we refactored cf start and as part of that work, we stopped blocking on the initial connection with the logging backend; now the CLI blocks until the NOAA connection is made, or the default dial timeout of five seconds is reached story update to version 6.38.0: Enhancements: - v3-ssh process type now defaults to web story - Support added for setting tags for user provided service instances story - Now a warning appears if you attempt to use deprecated properties and variable substitution story - Updated usage so now you can rename the cf binary use it with every command story - cf events now displays the Diego cell_id and instance guid in crash events story - Includes cf service service-instance table display improvements wherein the service instance information is now grouped separately from the binding information story - cf service service-instance table display information for user provided services changed: status has been added to the table story Bug Fixes: - the CLI now properly handles escaped commas in the X-Cf-Warnings header Update to version 6.37.0: Enhancements - The api/cloudcontroller/ccv2 package has been updated with more functions #1343 - Now a warning appears if you are using a API version older than 2.69.0, which is no longer officially supported - Now the CLI reads the username and password from the environment variables #1358 Bug Fixes: - Fixes bug whereby X-Cf-Warnings were not being unescaped when displayed to user #1361 - When using CF_TRACE=1, passwords are now sanitized #1375 and tracker Update to version 6.36.0: Bug Fixes: - int64 support for cf/flags library, #1333 - Debian package, #1336 - Web action flag not working on CLI 0.6.5, #1337 - When a cf push upload fails/Consul is down, a panic occurs, #1340 and #1351 update to version 6.35.2: Bug Fixes: - Providing a clearer services authorization warning message when a service has been disabled for the organization, fixing #1344

Patchnames

SUSE-2019-1220,SUSE-SLE-Module-CAP-Tools-15-SP1-2019-1220

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for cf-cli",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for cf-cli fixes the following issues:\n\ncf-cli was updated: to version 6.43.0 (bsc#1132242)\n\nEnhancements :\n\n- `cf curl` supports a new `--fail` flag (primarily for scripting purposes) which returns exit code `22` for server errors [story](https://www.pivotaltracker.com/story/show/130060949)\n- Improves `cf delete-orphaned-routes` such that it uses a different endpoint, reducing the chance of a race condition when two users are simultaneously deleting orphaned routes and associating routes with applications [story](https://www.pivotaltracker.com/story/show/163156064)\n- we\u0027ve improved the speed of cf services - it now hits a single endpoint instead of making individual API calls\n\nSecurity:\n\n- CVE-2019-3781: CF CLI does not sanitize user\u2019s password in verbose/trace/debug.\n- Fixes issue with running cf login in verbose mode whereby passwords which contains regex were not completely redacted\n- Fixes issue whilst running commands in verbose mode refresh tokens were not completely redacted\n\nOther Bug Fixes:\n\n- Updates help text for cf curlstory\n- Now refresh tokens work properly whilst using cf curl with V3 CC API endpoints story\n- Fixes performance degradation for cf services story\n- cf delete-service requires that you are targeting a space story\n- cf enable-service access for a service in an org will succeed if you have already enabled access for that service in that org story\n\ncf-cli was updated to version 6.42.0:\n\nMinor Enhancements:\n\n- updated `cf restage` help text and the first line in the command\u0027s output to indicate that using this command will cause app downtime [story](https://www.pivotaltracker.com/story/show/151841382)\n- updated the `cf bind-route-service` help text to clarify usage instructions [story](https://www.pivotaltracker.com/story/show/150111078)\n- improved an error message for `cf create-service-boker` to be more helpful when the CC API returns a `502` due to an invalid service broker catalog \n- upgraded to Golang 1.11.4 [story](https://www.pivotaltracker.com/story/show/162745359)\n- added a short name `ue` for `cf unset-env` [story](https://www.pivotaltracker.com/story/show/161632713)\n- updated `cf marketplace` command to include a new `broker` column to prepare for a upcoming services-related feature which will allow services to have the same name as long as they are associated with different service brokers [story](https://www.pivotaltracker.com/story/show/162699756)\n\nBugs:\n\n- fix for `cf enable-service-access -p plan` whereby when we refactored the code in CLI `v6.41.0` it created service plan visibilities as part of a subsequent run of the command (the unrefactored code skipped creating the service plan visibilities); now the command will skip creating service plan visibilities as it did prior to the refactor [story](https://www.pivotaltracker.com/story/show/162747373)\n- updated the `cf rename-buildpack` help text which was missing reference to the `-s` stack flag [story](https://www.pivotaltracker.com/story/show/162428661)\n- updated help text for when users use `brew search cloudfoundry-cli` [story](https://www.pivotaltracker.com/story/show/161770940)\n- now when you run `cf service service-instance` for a route service, the route service url appears in the key value table [story](https://www.pivotaltracker.com/story/show/162498211)\n\nUpdate to version 6.41.0:\n\nEnhancements:\n\n- updated `cf --help` to include the `delete` command [story](https://www.pivotaltracker.com/story/show/161556511)\n\nUpdate to version 6.40.1:\n\nBug Fixes:\n\n- Updates the minimum version for the buildpacks-stacks association feature. In [CLI v6.39.0](https://github.com/cloudfoundry/cli/releases/tag/v6.39.0), when the feature was released, we incorrectly set the minimum to cc api version as`2.114`. The minimum cc api version is now correctly set to [`2.112`](https://github.com/cloudfoundry/capi-release/releases/tag/1.58.0).  [story](https://www.pivotaltracker.com/story/show/161464797)\n- Fixes a bug with inspecting a service instance `cf service service-instance`, now the `documentation` url displays correctly for services which populate that field [story](https://www.pivotaltracker.com/story/show/161251875)\n\nUpdate to version 6.40.0:\n\nBug Fixes:\n\n- Fix bug where trailing slash on cf api would break listing commands for older CC APIs story. For older versions of CC API, if the API URL had a trailing slash, some requests would fail with an \u0027Unknown request\u0027 error. These requests are now handled properly.\n\nUpdate to version 6.39.0:\n\nEnhancements:\n\n- for users on cc api 3.27, cf start is enhanced to display the new cf app v3 output. For users on cc api 3.27 or lower, users will see the same v2 output. Note that if you use v3 commands to create and start your app, if you subsequently use cf stop and cf start, the routes property in cf app will not populate even though the route exists story\n- for users on cc api 3.27, cf restart is enhanced to display the new cf app v3 output. For users on cc api 3.27 or lower, users will see the same v2 output. story\n- for users on cc api 3.27, cf restage is enhanced to display the new cf app v3 output. For users on cc api 3.27 or lower, users will see the same v2 output. story\n- improved help text for -d domains for cf push to include examples of usage story\n- cf v3-scale displays additional app information story\n- if you\u0027ve created an internal domain, and it is the first domain in cc, the CLI will now ignore the internal domain and instead choose the next non-internal domain when you push an app story\n\nBug Fixes:\n\n- Fix for users on macOS attempting to brew install cf-cli the CF CLI using the unreleased master branch of Homebrew story\n- Fixes an issue whereby, due to a recent cc api change, when you execute cf push and watch the cf app command, the app display returned a 400 error story\n- Fixes a bug whereby if you logged in using client credentials, cf auth user pass --client credentials you were unable to create an org; now create-org will assign the role to the user id specified in your manifest story\n- fixes an issue introduced when we refactored cf start and as part of that work, we stopped blocking on the initial connection with the logging backend; now the CLI blocks until the NOAA connection is made, or the default dial timeout of five seconds is reached story\n\nupdate to version 6.38.0:\n\nEnhancements:\n\n- v3-ssh process type now defaults to web story\n- Support added for setting tags for user provided service instances story\n- Now a warning appears if you attempt to use deprecated properties and variable substitution story\n- Updated usage so now you can rename the cf binary use it with every command story\n- cf events now displays the Diego cell_id and instance guid in crash events story\n- Includes cf service service-instance table display improvements wherein the service instance information is now grouped separately from the binding information story\n- cf service service-instance table display information for user provided services changed: status has been added to the table story\n\nBug Fixes:\n\n- the CLI now properly handles escaped commas in the X-Cf-Warnings header\n\nUpdate to version 6.37.0:\n\nEnhancements\n\n- The api/cloudcontroller/ccv2 package has been updated with more functions #1343\n- Now a warning appears if you are using a API version older than 2.69.0, which is no longer officially supported\n- Now the CLI reads the username and password from the environment variables #1358\n\nBug Fixes:\n\n- Fixes bug whereby X-Cf-Warnings were not being unescaped when displayed to user #1361\n- When using CF_TRACE=1, passwords are now sanitized #1375 and tracker\n\nUpdate to version 6.36.0:\n\nBug Fixes:\n\n- int64 support for cf/flags library, #1333\n- Debian package, #1336\n- Web action flag not working on CLI 0.6.5, #1337\n- When a cf push upload fails/Consul is down, a panic occurs, #1340 and #1351\n\nupdate to version 6.35.2:\n\nBug Fixes:\n\n- Providing a clearer services authorization warning message when a service has been disabled for the organization, fixing #1344\n\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2019-1220,SUSE-SLE-Module-CAP-Tools-15-SP1-2019-1220",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2019_1220-2.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2019:1220-2",
        "url": "https://www.suse.com/support/update/announcement/2019/suse-su-20191220-2/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2019:1220-2",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2019-July/005646.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1132242",
        "url": "https://bugzilla.suse.com/1132242"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-3781 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-3781/"
      }
    ],
    "title": "Security update for cf-cli",
    "tracking": {
      "current_release_date": "2019-07-02T08:32:10Z",
      "generator": {
        "date": "2019-07-02T08:32:10Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2019:1220-2",
      "initial_release_date": "2019-07-02T08:32:10Z",
      "revision_history": [
        {
          "date": "2019-07-02T08:32:10Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cf-cli-6.43.0-3.3.2.aarch64",
                "product": {
                  "name": "cf-cli-6.43.0-3.3.2.aarch64",
                  "product_id": "cf-cli-6.43.0-3.3.2.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "cf-cli-test-6.43.0-3.3.1.aarch64",
                "product": {
                  "name": "cf-cli-test-6.43.0-3.3.1.aarch64",
                  "product_id": "cf-cli-test-6.43.0-3.3.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cf-cli-6.43.0-3.3.2.i586",
                "product": {
                  "name": "cf-cli-6.43.0-3.3.2.i586",
                  "product_id": "cf-cli-6.43.0-3.3.2.i586"
                }
              },
              {
                "category": "product_version",
                "name": "cf-cli-test-6.43.0-3.3.1.i586",
                "product": {
                  "name": "cf-cli-test-6.43.0-3.3.1.i586",
                  "product_id": "cf-cli-test-6.43.0-3.3.1.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cf-cli-6.43.0-3.3.2.ppc64le",
                "product": {
                  "name": "cf-cli-6.43.0-3.3.2.ppc64le",
                  "product_id": "cf-cli-6.43.0-3.3.2.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "cf-cli-test-6.43.0-3.3.1.ppc64le",
                "product": {
                  "name": "cf-cli-test-6.43.0-3.3.1.ppc64le",
                  "product_id": "cf-cli-test-6.43.0-3.3.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cf-cli-6.43.0-3.3.2.s390x",
                "product": {
                  "name": "cf-cli-6.43.0-3.3.2.s390x",
                  "product_id": "cf-cli-6.43.0-3.3.2.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "cf-cli-test-6.43.0-3.3.1.s390x",
                "product": {
                  "name": "cf-cli-test-6.43.0-3.3.1.s390x",
                  "product_id": "cf-cli-test-6.43.0-3.3.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cf-cli-6.43.0-3.3.2.x86_64",
                "product": {
                  "name": "cf-cli-6.43.0-3.3.2.x86_64",
                  "product_id": "cf-cli-6.43.0-3.3.2.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "cf-cli-test-6.43.0-3.3.1.x86_64",
                "product": {
                  "name": "cf-cli-test-6.43.0-3.3.1.x86_64",
                  "product_id": "cf-cli-test-6.43.0-3.3.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for CAP 15 SP1",
                "product": {
                  "name": "SUSE Linux Enterprise Module for CAP 15 SP1",
                  "product_id": "SUSE Linux Enterprise Module for CAP 15 SP1",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-cap-tools:15:sp1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cf-cli-6.43.0-3.3.2.x86_64 as component of SUSE Linux Enterprise Module for CAP 15 SP1",
          "product_id": "SUSE Linux Enterprise Module for CAP 15 SP1:cf-cli-6.43.0-3.3.2.x86_64"
        },
        "product_reference": "cf-cli-6.43.0-3.3.2.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for CAP 15 SP1"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-3781",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-3781"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Cloud Foundry CLI, versions prior to v6.43.0, improperly exposes passwords when verbose/trace/debugging is turned on. A local unauthenticated or remote authenticated malicious user with access to logs may gain part or all of a users password.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for CAP 15 SP1:cf-cli-6.43.0-3.3.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-3781",
          "url": "https://www.suse.com/security/cve/CVE-2019-3781"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for CAP 15 SP1:cf-cli-6.43.0-3.3.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "SUSE Linux Enterprise Module for CAP 15 SP1:cf-cli-6.43.0-3.3.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2019-07-02T08:32:10Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2019-3781"
    }
  ]
}

SUSE-SU-2019:1220-1

Vulnerability from csaf_suse - Published: 2019-05-13 11:27 - Updated: 2019-05-13 11:27

Summary

Security update for cf-cli

Notes

Title of the patch

Security update for cf-cli

Description of the patch

Patchnames

SUSE-2019-1220,SUSE-SLE-Module-CAP-Tools-15-2019-1220

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for cf-cli",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for cf-cli fixes the following issues:\n\ncf-cli was updated: to version 6.43.0 (bsc#1132242)\n\nEnhancements :\n\n- `cf curl` supports a new `--fail` flag (primarily for scripting purposes) which returns exit code `22` for server errors [story](https://www.pivotaltracker.com/story/show/130060949)\n- Improves `cf delete-orphaned-routes` such that it uses a different endpoint, reducing the chance of a race condition when two users are simultaneously deleting orphaned routes and associating routes with applications [story](https://www.pivotaltracker.com/story/show/163156064)\n- we\u0027ve improved the speed of cf services - it now hits a single endpoint instead of making individual API calls\n\nSecurity:\n\n- CVE-2019-3781: CF CLI does not sanitize user\u2019s password in verbose/trace/debug.\n- Fixes issue with running cf login in verbose mode whereby passwords which contains regex were not completely redacted\n- Fixes issue whilst running commands in verbose mode refresh tokens were not completely redacted\n\nOther Bug Fixes:\n\n- Updates help text for cf curlstory\n- Now refresh tokens work properly whilst using cf curl with V3 CC API endpoints story\n- Fixes performance degradation for cf services story\n- cf delete-service requires that you are targeting a space story\n- cf enable-service access for a service in an org will succeed if you have already enabled access for that service in that org story\n\ncf-cli was updated to version 6.42.0:\n\nMinor Enhancements:\n\n- updated `cf restage` help text and the first line in the command\u0027s output to indicate that using this command will cause app downtime [story](https://www.pivotaltracker.com/story/show/151841382)\n- updated the `cf bind-route-service` help text to clarify usage instructions [story](https://www.pivotaltracker.com/story/show/150111078)\n- improved an error message for `cf create-service-boker` to be more helpful when the CC API returns a `502` due to an invalid service broker catalog \n- upgraded to Golang 1.11.4 [story](https://www.pivotaltracker.com/story/show/162745359)\n- added a short name `ue` for `cf unset-env` [story](https://www.pivotaltracker.com/story/show/161632713)\n- updated `cf marketplace` command to include a new `broker` column to prepare for a upcoming services-related feature which will allow services to have the same name as long as they are associated with different service brokers [story](https://www.pivotaltracker.com/story/show/162699756)\n\nBugs:\n\n- fix for `cf enable-service-access -p plan` whereby when we refactored the code in CLI `v6.41.0` it created service plan visibilities as part of a subsequent run of the command (the unrefactored code skipped creating the service plan visibilities); now the command will skip creating service plan visibilities as it did prior to the refactor [story](https://www.pivotaltracker.com/story/show/162747373)\n- updated the `cf rename-buildpack` help text which was missing reference to the `-s` stack flag [story](https://www.pivotaltracker.com/story/show/162428661)\n- updated help text for when users use `brew search cloudfoundry-cli` [story](https://www.pivotaltracker.com/story/show/161770940)\n- now when you run `cf service service-instance` for a route service, the route service url appears in the key value table [story](https://www.pivotaltracker.com/story/show/162498211)\n\nUpdate to version 6.41.0:\n\nEnhancements:\n\n- updated `cf --help` to include the `delete` command [story](https://www.pivotaltracker.com/story/show/161556511)\n\nUpdate to version 6.40.1:\n\nBug Fixes:\n\n- Updates the minimum version for the buildpacks-stacks association feature. In [CLI v6.39.0](https://github.com/cloudfoundry/cli/releases/tag/v6.39.0), when the feature was released, we incorrectly set the minimum to cc api version as`2.114`. The minimum cc api version is now correctly set to [`2.112`](https://github.com/cloudfoundry/capi-release/releases/tag/1.58.0).  [story](https://www.pivotaltracker.com/story/show/161464797)\n- Fixes a bug with inspecting a service instance `cf service service-instance`, now the `documentation` url displays correctly for services which populate that field [story](https://www.pivotaltracker.com/story/show/161251875)\n\nUpdate to version 6.40.0:\n\nBug Fixes:\n\n- Fix bug where trailing slash on cf api would break listing commands for older CC APIs story. For older versions of CC API, if the API URL had a trailing slash, some requests would fail with an \u0027Unknown request\u0027 error. These requests are now handled properly.\n\nUpdate to version 6.39.0:\n\nEnhancements:\n\n- for users on cc api 3.27, cf start is enhanced to display the new cf app v3 output. For users on cc api 3.27 or lower, users will see the same v2 output. Note that if you use v3 commands to create and start your app, if you subsequently use cf stop and cf start, the routes property in cf app will not populate even though the route exists story\n- for users on cc api 3.27, cf restart is enhanced to display the new cf app v3 output. For users on cc api 3.27 or lower, users will see the same v2 output. story\n- for users on cc api 3.27, cf restage is enhanced to display the new cf app v3 output. For users on cc api 3.27 or lower, users will see the same v2 output. story\n- improved help text for -d domains for cf push to include examples of usage story\n- cf v3-scale displays additional app information story\n- if you\u0027ve created an internal domain, and it is the first domain in cc, the CLI will now ignore the internal domain and instead choose the next non-internal domain when you push an app story\n\nBug Fixes:\n\n- Fix for users on macOS attempting to brew install cf-cli the CF CLI using the unreleased master branch of Homebrew story\n- Fixes an issue whereby, due to a recent cc api change, when you execute cf push and watch the cf app command, the app display returned a 400 error story\n- Fixes a bug whereby if you logged in using client credentials, cf auth user pass --client credentials you were unable to create an org; now create-org will assign the role to the user id specified in your manifest story\n- fixes an issue introduced when we refactored cf start and as part of that work, we stopped blocking on the initial connection with the logging backend; now the CLI blocks until the NOAA connection is made, or the default dial timeout of five seconds is reached story\n\nupdate to version 6.38.0:\n\nEnhancements:\n\n- v3-ssh process type now defaults to web story\n- Support added for setting tags for user provided service instances story\n- Now a warning appears if you attempt to use deprecated properties and variable substitution story\n- Updated usage so now you can rename the cf binary use it with every command story\n- cf events now displays the Diego cell_id and instance guid in crash events story\n- Includes cf service service-instance table display improvements wherein the service instance information is now grouped separately from the binding information story\n- cf service service-instance table display information for user provided services changed: status has been added to the table story\n\nBug Fixes:\n\n- the CLI now properly handles escaped commas in the X-Cf-Warnings header\n\nUpdate to version 6.37.0:\n\nEnhancements\n\n- The api/cloudcontroller/ccv2 package has been updated with more functions #1343\n- Now a warning appears if you are using a API version older than 2.69.0, which is no longer officially supported\n- Now the CLI reads the username and password from the environment variables #1358\n\nBug Fixes:\n\n- Fixes bug whereby X-Cf-Warnings were not being unescaped when displayed to user #1361\n- When using CF_TRACE=1, passwords are now sanitized #1375 and tracker\n\nUpdate to version 6.36.0:\n\nBug Fixes:\n\n- int64 support for cf/flags library, #1333\n- Debian package, #1336\n- Web action flag not working on CLI 0.6.5, #1337\n- When a cf push upload fails/Consul is down, a panic occurs, #1340 and #1351\n\nupdate to version 6.35.2:\n\nBug Fixes:\n\n- Providing a clearer services authorization warning message when a service has been disabled for the organization, fixing #1344\n\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2019-1220,SUSE-SLE-Module-CAP-Tools-15-2019-1220",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2019_1220-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2019:1220-1",
        "url": "https://www.suse.com/support/update/announcement/2019/suse-su-20191220-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2019:1220-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2019-May/005445.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1132242",
        "url": "https://bugzilla.suse.com/1132242"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-3781 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-3781/"
      }
    ],
    "title": "Security update for cf-cli",
    "tracking": {
      "current_release_date": "2019-05-13T11:27:58Z",
      "generator": {
        "date": "2019-05-13T11:27:58Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2019:1220-1",
      "initial_release_date": "2019-05-13T11:27:58Z",
      "revision_history": [
        {
          "date": "2019-05-13T11:27:58Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cf-cli-6.43.0-3.3.2.aarch64",
                "product": {
                  "name": "cf-cli-6.43.0-3.3.2.aarch64",
                  "product_id": "cf-cli-6.43.0-3.3.2.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "cf-cli-test-6.43.0-3.3.1.aarch64",
                "product": {
                  "name": "cf-cli-test-6.43.0-3.3.1.aarch64",
                  "product_id": "cf-cli-test-6.43.0-3.3.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cf-cli-6.43.0-3.3.2.i586",
                "product": {
                  "name": "cf-cli-6.43.0-3.3.2.i586",
                  "product_id": "cf-cli-6.43.0-3.3.2.i586"
                }
              },
              {
                "category": "product_version",
                "name": "cf-cli-test-6.43.0-3.3.1.i586",
                "product": {
                  "name": "cf-cli-test-6.43.0-3.3.1.i586",
                  "product_id": "cf-cli-test-6.43.0-3.3.1.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cf-cli-6.43.0-3.3.2.ppc64le",
                "product": {
                  "name": "cf-cli-6.43.0-3.3.2.ppc64le",
                  "product_id": "cf-cli-6.43.0-3.3.2.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "cf-cli-test-6.43.0-3.3.1.ppc64le",
                "product": {
                  "name": "cf-cli-test-6.43.0-3.3.1.ppc64le",
                  "product_id": "cf-cli-test-6.43.0-3.3.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cf-cli-6.43.0-3.3.2.s390x",
                "product": {
                  "name": "cf-cli-6.43.0-3.3.2.s390x",
                  "product_id": "cf-cli-6.43.0-3.3.2.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "cf-cli-test-6.43.0-3.3.1.s390x",
                "product": {
                  "name": "cf-cli-test-6.43.0-3.3.1.s390x",
                  "product_id": "cf-cli-test-6.43.0-3.3.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cf-cli-6.43.0-3.3.2.x86_64",
                "product": {
                  "name": "cf-cli-6.43.0-3.3.2.x86_64",
                  "product_id": "cf-cli-6.43.0-3.3.2.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "cf-cli-test-6.43.0-3.3.1.x86_64",
                "product": {
                  "name": "cf-cli-test-6.43.0-3.3.1.x86_64",
                  "product_id": "cf-cli-test-6.43.0-3.3.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for CAP 15",
                "product": {
                  "name": "SUSE Linux Enterprise Module for CAP 15",
                  "product_id": "SUSE Linux Enterprise Module for CAP 15",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-cap-tools:15"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cf-cli-6.43.0-3.3.2.x86_64 as component of SUSE Linux Enterprise Module for CAP 15",
          "product_id": "SUSE Linux Enterprise Module for CAP 15:cf-cli-6.43.0-3.3.2.x86_64"
        },
        "product_reference": "cf-cli-6.43.0-3.3.2.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for CAP 15"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-3781",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-3781"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Cloud Foundry CLI, versions prior to v6.43.0, improperly exposes passwords when verbose/trace/debugging is turned on. A local unauthenticated or remote authenticated malicious user with access to logs may gain part or all of a users password.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for CAP 15:cf-cli-6.43.0-3.3.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-3781",
          "url": "https://www.suse.com/security/cve/CVE-2019-3781"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for CAP 15:cf-cli-6.43.0-3.3.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "SUSE Linux Enterprise Module for CAP 15:cf-cli-6.43.0-3.3.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2019-05-13T11:27:58Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2019-3781"
    }
  ]
}

GSD-2019-3781

Vulnerability from gsd - Updated: 2023-12-13 01:24

Details

Aliases

CVE-2019-3781

Aliases

CVE-2019-3781

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-3781",
    "description": "Cloud Foundry CLI, versions prior to v6.43.0, improperly exposes passwords when verbose/trace/debugging is turned on. A local unauthenticated or remote authenticated malicious user with access to logs may gain part or all of a users password.",
    "id": "GSD-2019-3781",
    "references": [
      "https://www.suse.com/security/cve/CVE-2019-3781.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2019-3781"
      ],
      "details": "Cloud Foundry CLI, versions prior to v6.43.0, improperly exposes passwords when verbose/trace/debugging is turned on. A local unauthenticated or remote authenticated malicious user with access to logs may gain part or all of a users password.",
      "id": "GSD-2019-3781",
      "modified": "2023-12-13T01:24:03.217237Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security_alert@emc.com",
        "DATE_PUBLIC": "2019-02-25T00:00:00.000Z",
        "ID": "CVE-2019-3781",
        "STATE": "PUBLIC",
        "TITLE": "CF CLI does not sanitize user\u0027s password in verbose/trace/debug"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "CF CLI",
                    "version": {
                      "version_data": [
                        {
                          "affected": "\u003c",
                          "version_name": "All",
                          "version_value": "v6.43.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Cloud Foundry"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Cloud Foundry CLI, versions prior to v6.43.0, improperly exposes passwords when verbose/trace/debugging is turned on. A local unauthenticated or remote authenticated malicious user with access to logs may gain part or all of a users password."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
          "version": "3.0"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-215: Information Exposure Through Debug Information"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "107365",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/107365"
          },
          {
            "name": "https://www.cloudfoundry.org/blog/cve-2019-3781",
            "refsource": "CONFIRM",
            "url": "https://www.cloudfoundry.org/blog/cve-2019-3781"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:cloudfoundry:command_line_interface:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "6.43.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@dell.com",
          "ID": "CVE-2019-3781"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Cloud Foundry CLI, versions prior to v6.43.0, improperly exposes passwords when verbose/trace/debugging is turned on. A local unauthenticated or remote authenticated malicious user with access to logs may gain part or all of a users password."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-200"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.cloudfoundry.org/blog/cve-2019-3781",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.cloudfoundry.org/blog/cve-2019-3781"
            },
            {
              "name": "107365",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/107365"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 6.8,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2020-10-19T17:55Z",
      "publishedDate": "2019-03-07T18:29Z"
    }
  }
}

FKIE_CVE-2019-3781

Vulnerability from fkie_nvd - Published: 2019-03-07 18:29 - Updated: 2024-11-21 04:42

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security_alert@emc.com	http://www.securityfocus.com/bid/107365	Third Party Advisory, VDB Entry
security_alert@emc.com	https://www.cloudfoundry.org/blog/cve-2019-3781	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/107365	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://www.cloudfoundry.org/blog/cve-2019-3781	Vendor Advisory

Impacted products

	Vendor	Product	Version
	cloudfoundry	command_line_interface	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:cloudfoundry:command_line_interface:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B1B7979C-34AA-41DD-8365-149AE0F0C94A",
              "versionEndExcluding": "6.43.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Cloud Foundry CLI, versions prior to v6.43.0, improperly exposes passwords when verbose/trace/debugging is turned on. A local unauthenticated or remote authenticated malicious user with access to logs may gain part or all of a users password."
    },
    {
      "lang": "es",
      "value": "Cloud Foudry CLI, en versiones anteriores a v6.43.0, expone contrase\u00f1as de manera incorrecta cuando verbose/trace/debugging est\u00e1 habilitado. Un usuario no autenticado o un usuario remoto autenticado malicioso con acceso a los logs podr\u00eda obtener parte o toda la contrase\u00f1a de un usuario."
    }
  ],
  "id": "CVE-2019-3781",
  "lastModified": "2024-11-21T04:42:31.827",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 3.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 6.8,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.8,
        "source": "security_alert@emc.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-03-07T18:29:00.587",
  "references": [
    {
      "source": "security_alert@emc.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/107365"
    },
    {
      "source": "security_alert@emc.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.cloudfoundry.org/blog/cve-2019-3781"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/107365"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.cloudfoundry.org/blog/cve-2019-3781"
    }
  ],
  "sourceIdentifier": "security_alert@emc.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-215"
        }
      ],
      "source": "security_alert@emc.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CNVD-2019-23061

Vulnerability from cnvd - Published: 2019-07-17

Title

Cloud Foundry Command Line Interface信息泄露漏洞

Description

Cloud Foundry CLI是美国Cloud Foundry基金会的一款用于Cloud Foundry的命令行客户端程序。 Cloud Foundry CLI v6.43.0之前版本中存在信息泄露漏洞。远程攻击者可利用该漏洞获取部分或全部用户密码。

Severity

低

Patch Name

Cloud Foundry Command Line Interface信息泄露漏洞的补丁

Patch Description

Cloud Foundry CLI是美国Cloud Foundry基金会的一款用于Cloud Foundry的命令行客户端程序。 Cloud Foundry CLI v6.43.0之前版本中存在信息泄露漏洞。远程攻击者可利用该漏洞获取部分或全部用户密码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://www.cloudfoundry.org/blog/cve-2019-3781

Reference

https://www.securityfocus.com/bid/107365

Impacted products

Name
Cloud Foundry Cloud Foundry CLI <v6.43.0

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "107365"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-3781",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2019-3781"
    }
  },
  "description": "Cloud Foundry CLI\u662f\u7f8e\u56fdCloud Foundry\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u7528\u4e8eCloud Foundry\u7684\u547d\u4ee4\u884c\u5ba2\u6237\u7aef\u7a0b\u5e8f\u3002\n\nCloud Foundry CLI v6.43.0\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u90e8\u5206\u6216\u5168\u90e8\u7528\u6237\u5bc6\u7801\u3002",
  "discovererName": "Swisscom",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://www.cloudfoundry.org/blog/cve-2019-3781",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-23061",
  "openTime": "2019-07-17",
  "patchDescription": "Cloud Foundry CLI\u662f\u7f8e\u56fdCloud Foundry\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u7528\u4e8eCloud Foundry\u7684\u547d\u4ee4\u884c\u5ba2\u6237\u7aef\u7a0b\u5e8f\u3002\r\n\r\nCloud Foundry CLI v6.43.0\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u90e8\u5206\u6216\u5168\u90e8\u7528\u6237\u5bc6\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Cloud Foundry Command Line Interface\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Cloud Foundry Cloud Foundry CLI \u003cv6.43.0"
  },
  "referenceLink": "https://www.securityfocus.com/bid/107365",
  "serverity": "\u4f4e",
  "submitTime": "2019-07-16",
  "title": "Cloud Foundry Command Line Interface\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

GHSA-Q96C-R8J3-G2QP

Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14

Details

Severity ?

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2019-3781"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-07T18:29:00Z",
    "severity": "HIGH"
  },
  "details": "Cloud Foundry CLI, versions prior to v6.43.0, improperly exposes passwords when verbose/trace/debugging is turned on. A local unauthenticated or remote authenticated malicious user with access to logs may gain part or all of a users password.",
  "id": "GHSA-q96c-r8j3-g2qp",
  "modified": "2022-05-13T01:14:29Z",
  "published": "2022-05-13T01:14:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3781"
    },
    {
      "type": "WEB",
      "url": "https://www.cloudfoundry.org/blog/cve-2019-3781"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/107365"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2019-3781 (GCVE-0-2019-3781)

SUSE-SU-2019:1220-2

SUSE-SU-2019:1220-1

GSD-2019-3781

FKIE_CVE-2019-3781

CNVD-2019-23061

GHSA-Q96C-R8J3-G2QP

Tags

Sightings

Nomenclature