Cloud FoundryCFOUNDRY:F2395754936DF3DD6FB4BC25F43B2C1ECVE-2020-5422: UAA password may appear in BOSH System Metrics Server process arguments | Cloud Foundry
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
28.4%
Severity
High
Vendor
Cloud Foundry Foundation
Description
BOSH System Metrics Server releases prior to 0.1.0 exposed the UAA password as a flag to a process running on the BOSH director. It exposed the password to any user or process with access to the same VM (through ps or looking at process details).
Affected Cloud Foundry Products and Versions
Severity is high unless otherwise noted.
- BOSH System Metrics Server
- All versions prior to 0.1.0
Mitigation
Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:
- BOSH System Metrics Server
- Upgrade all versions to 0.1.0 or greater
History
2020-10-01: Initial vulnerability report published.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| cloudfoundry | bosh_azure_cpi | * | cpe:2.3:a:cloudfoundry:bosh_azure_cpi:*:*:*:*:*:*:*:* |
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
28.4%