Lucene search

DellCVELIST:CVE-2018-1264

HistoryOct 05, 2018 - 9:00 p.m.

CVE-2018-1264 Log Cache logs UAA client secret on startup

2018-10-0521:00:00

dell

www.cve.org

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.004

Percentile

74.4%

JSON

Cloud Foundry Log Cache, versions prior to 1.1.1, logs its UAA client secret on startup as part of its envstruct report. A remote attacker who has gained access to the Log Cache VM can read this secret, gaining all privileges held by the Log Cache UAA client. In the worst case, if this client is an admin, the attacker would gain complete control over the Foundation.

CNA Affected

[
  {
    "product": "log-cache-release",
    "vendor": "Cloud Foundry",
    "versions": [
      {
        "lessThan": "1.1.1",
        "status": "affected",
        "version": "all versions",
        "versionType": "custom"
      }
    ]
  }
]

References

www.cloudfoundry.org/blog/cve-2018-1264/

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.004

Percentile

74.4%

JSON

Related for CVELIST:CVE-2018-1264