Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cve[email protected]CVE-2019-3800
HistoryAug 05, 2019 - 5:15 p.m.

CVE-2019-3800

2019-08-0517:15:10
CWE-522
CWE-200
[email protected]
web.nvd.nist.gov
50
cve-2019-3800
cf cli
configuration file
client credentials
security vulnerability

2.1 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.3 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

59.6%

JSON

CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials.

Affected configurations

NVD
Node
pivotalcloud_foundry_command_line_interfaceRange<6.45.0
OR
pivotalcloud_foundry_command_line_interface_releaseRange<1.16.0
OR
pivotalcloud_foundry_deploymentRange<10.0.0
OR
pivotalcloud_foundry_deployment_concourse_tasksRange<9.3.0
OR
pivotalcloud_foundry_log_cache_releaseRange<2.3.1
OR
pivotalcloud_foundry_networking_releaseRange<2.23.0
OR
pivotalcloud_foundry_notificationsRange<58
OR
pivotalcloud_foundry_routing_releaseRange<0.189.0
OR
pivotalcloud_foundry_smoke_testRange<40.0.113
Node
pivotalapplication_serviceRange2.3.02.3.14
OR
pivotalapplication_serviceRange2.4.02.4.10
OR
pivotalapplication_serviceRange2.5.02.5.6
OR
pivotalcloud_foundry_autoscaling_releaseRange<219
OR
pivotalcloud_foundry_event_alertsRange<1.2.8
OR
pivotalcloud_foundry_healthwatchRange1.4.01.4.7
OR
pivotalcloud_foundry_healthwatchRange1.5.01.5.4
OR
pivotalcredhub_service_broker_for_pcfRange<1.3.2
OR
pivotalmetric_registrar_releaseRange<1.2
OR
pivotalon_demand_service_brokerRange<0.29.0
OR
pivotalpivotal_cloud_foundry_service_brokerRange<1.4.13aws
OR
pivotalsingle_sign-onRange1.7.01.7.5cloud_foundry
OR
pivotalsingle_sign-onRange1.8.01.8.4cloud_foundry
OR
pivotalsingle_sign-onRange1.9.01.9.1cloud_foundry
Node
anynineselasticsearchRange<2.1.2pivotal_cloud_foundry
OR
anynineslogmeRange<2.1.2pivotal_cloud_foundry
OR
anyninesmongodbRange<2.1.2pivotal_cloud_foundry
OR
anyninesmysqlRange<2.1.2pivotal_cloud_foundry
OR
anyninespostgresqlRange<2.1.2pivotal_cloud_foundry
OR
anyninesrabbitmqRange<2.1.2pivotal_cloud_foundry
OR
anyninesredisRange<2.1.2pivotal_cloud_foundry
OR
apigeeedge_service_brokerRange<3.1.3pivotal_cloud_foundry
OR
appdynamicsapplication_analyticsRange<4.7.652pivotal_cloud_foundry
OR
appdynamicsapplication_performance_monitoringRange<4.6.64pivotal_cloud_foundry
OR
appdynamicsplatform_montioringRange<4.7.712pivotal_cloud_foundry
OR
bluemedoranozzleRange<3.1.1pivotal_cloud_foundry
OR
contrastsecurityservice_brokerRange<2.2.0pivotal_cloud_foundry
OR
cyberarkconjur_service_brokerRange<1.1.1pivotal_cloud_foundry
OR
datadoghqapplication_monitoringRange<1.7.0pivotal_cloud_foundry
OR
datastaxenterprise_service_brokerRange<1.0.2pivotal_cloud_foundry
OR
dynatraceservice_brokerRange<1.4.2pivotal_cloud_foundry
OR
forgerockservice_brokerRange<2.1.2pivotal_cloud_foundry
OR
googlegoogle_cloud_platform_service_brokerRange<4.2.3pivotal_cloud_foundry
OR
ibmwebsphere_liberty_Range<3.11.0pivotal_cloud_foundry
OR
microsoftazure_log_analytics_nozzleRange<1.4.1pivotal_cloud_foundry
OR
microsoftazure_service_brokerRange<1.4.1pivotal_cloud_foundry
OR
newrelicdotnet_extension_buildpackRange<1.1.1pivotal_cloud_foundry
OR
newrelicnozzleRange<1.1.17pivotal_cloud_foundry
OR
newrelicservice_brokerRange<1.12.64pivotal_cloud_foundry
OR
pagerdutyservice_brokerRange<1.2.4pivotal_cloud_foundry
OR
riverbedsteelcentral_appinternalsRange<10.21.1-bl516pivotal_cloud_foundry
OR
sambavolume_serviceRange<1.1.1pivotal_cloud_foundry
OR
signalsciencesservice_brokerRange<1.1.0pivotal_cloud_foundry
OR
snykservice_brokerRange<1.0.3pivotal_cloud_foundry
OR
solacepubsub\+Range<2.3.2pivotal_cloud_foundry
OR
splunknozzleRange<1.1.1pivotal_cloud_foundry
OR
sumologicnozzleRange<1.0.1pivotal_cloud_foundry
OR
synopsysseeker_iast_service_brokerRange<1.2.14pivotal_cloud_foundry
OR
tibcobusinessworks_buildpackRange<2.4.4containerpivotal_cloud_foundry
OR
wavefrontwavefront_by_vmware_nozzleRange<1.0.2pivotal_cloud_foundry
OR
yugabytedb_enterpriseRange<1.1.8pivotal_cloud_foundry
CPENameOperatorVersion
pivotal:cloud_foundry_command_line_interfacepivotal cloud foundry command line interfacelt6.45.0
pivotal:cloud_foundry_command_line_interface_releasepivotal cloud foundry command line interface releaselt1.16.0
pivotal:cloud_foundry_deploymentpivotal cloud foundry deploymentlt10.0.0
pivotal:cloud_foundry_deployment_concourse_taskspivotal cloud foundry deployment concourse taskslt9.3.0
pivotal:cloud_foundry_log_cache_releasepivotal cloud foundry log cache releaselt2.3.1
pivotal:cloud_foundry_networking_releasepivotal cloud foundry networking releaselt2.23.0
pivotal:cloud_foundry_notificationspivotal cloud foundry notificationslt58
pivotal:cloud_foundry_routing_releasepivotal cloud foundry routing releaselt0.189.0
pivotal:cloud_foundry_smoke_testpivotal cloud foundry smoke testlt40.0.113

CNA Affected

[
  {
    "product": "CF CLI Release",
    "vendor": "Cloud Foundry",
    "versions": [
      {
        "status": "affected",
        "version": "v1.x before v1.16.0"
      }
    ]
  },
  {
    "product": "CF CLI",
    "vendor": "Cloud Foundry",
    "versions": [
      {
        "status": "affected",
        "version": "versions prior to v6.45.0"
      }
    ]
  }
]

Related

osv 1
cvelist 1
cloudfoundry 1
ibm 2
nvd 1
prion 1
osv
osv
CVE-2019-3800
2019-08-05 17:15:10
cvelist
cvelist
CVE-2019-3800 CF CLI writes the client id and secret to config file
2019-07-18 00:00:00
cloudfoundry
cloudfoundry
CVE-2019-3800: CF CLI writes the client id and secret to config file | Cloud Foundry
2019-07-18 00:00:00
ibm
ibm
Security Bulletin: Security Vulnerability affects Cloud Foundry for IBM Cloud Private (CVE-2019-3800)
2019-11-24 13:04:22
Security Bulletin: Vulnerability of Embedded CF CLI In IBM Cloud CLI
2020-07-24 21:16:35
nvd
nvd
CVE-2019-3800
2019-08-05 17:15:10
prion
prion
Design/Logic Flaw
2019-08-05 17:15:00

2.1 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.3 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

59.6%

JSON
Related for CVE-2019-3800
osv1cvelist1cloudfoundry1ibm2nvd1prion1