Lucene search

K
cve[email protected]CVE-2020-5422
HistoryOct 02, 2020 - 5:15 p.m.

CVE-2020-5422

2020-10-0217:15:12
CWE-214
CWE-668
web.nvd.nist.gov
18
bosh system metrics server
uaa password
cve-2020-5422
security vulnerability
nvd

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

4 Medium

CVSS2

Access Vector

Access Complexity

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

28.3%

BOSH System Metrics Server releases prior to 0.1.0 exposed the UAA password as a flag to a process running on the BOSH director. It exposed the password to any user or process with access to the same VM (through ps or looking at process details).

Affected configurations

NVD
Node
cloud_foundrybosh_system_metrics_serverRange<0.1.0

CNA Affected

[
  {
    "product": "BOSH System Metrics Server",
    "vendor": "Cloud Foundry",
    "versions": [
      {
        "lessThan": "0.1.0",
        "status": "affected",
        "version": "All",
        "versionType": "custom"
      }
    ]
  }
]

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

4 Medium

CVSS2

Access Vector

Access Complexity

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

28.3%

Related for CVE-2020-5422