Design/Logic Flaw

2019-08-0517:15:00

PRIOn knowledge base

www.prio-n.com

7.4 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

59.6%

JSON

CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials.

CPENameOperatorVersion
elasticsearchlt2.1.2
logmelt2.1.2
mongodblt2.1.2
mysqllt2.1.2
postgresqllt2.1.2
rabbitmqlt2.1.2
redislt2.1.2
edge_service_brokerlt3.1.3
application_analyticslt4.7.652
application_performance_monitoringlt4.6.64

Name	Operator	Version
elasticsearch	lt	2.1.2
logme	lt	2.1.2
mongodb	lt	2.1.2
mysql	lt	2.1.2
postgresql	lt	2.1.2
rabbitmq	lt	2.1.2
redis	lt	2.1.2
edge_service_broker	lt	3.1.3
application_analytics	lt	4.7.652
application_performance_monitoring	lt	4.6.64