Lucene search
Cloud FoundryCFOUNDRY:87B5ED3C8439EBE0FF3EB795DF9C98B4HistorySep 09, 2016 - 12:00 a.m.
CVE-2016-6639: PHP Buildpack exposes .profile file | Cloud Foundry
2016-09-0900:00:00
Cloud Foundry
www.cloudfoundry.org
46
0.004 Low
EPSS
Percentile
72.5%
CVE-2016-6639: PHP Buildpack exposes .profile file
Medium
Vendor
Cloud Foundry Foundation
Versions Affected
- PHP Buildpack versions prior to v4.3.18
- Cf-release versions prior to v242
Description
The .profile file, which can potentially include environment variables and credentials, is exposed by default in the PHP Buildpack. The PHP buildpack prior to v4.3.18 did not actually allow for execution of the .profile file, so it is unlikely that many applications were using it.
Mitigation
Users of affected versions should apply the following mitigation:
- For existing deployments, upgrade the PHP Buildpack to v4.3.18 or later [1] and restage all applications that use automated buildpack detection.
- Immediately rotate credentials for apps using the PHP buildpack if they were stored in the .profile file.
Credit
Cloud Foundry Buildpacks Team
References
[1] <https://github.com/cloudfoundry/php-buildpack/releases>
History
2016-09-07: Initial vulnerability report published
Related
prion
prion
Cross site request forgery (csrf)
2016-09-18 02:59:00
nvd
nvd
CVE-2016-6639
2016-09-18 02:59:12
cve
cve
CVE-2016-6639
2016-09-18 02:59:12
cvelist
cvelist
CVE-2016-6639
2016-09-18 01:00:00