Lucene search

K

CredHub Security Vulnerabilities

cve
cve

CVE-2020-5399

Cloud Foundry CredHub, versions prior to 2.5.10, connects to a MySQL database without TLS even when configured to use TLS. A malicious user with access to the network between CredHub and its MySQL database may eavesdrop on database connections and thereby gain unauthorized access to CredHub and...

7.4CVSS

7.3AI Score

0.002EPSS

2020-02-12 09:15 PM
39
cve
cve

CVE-2019-3800

CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the...

7.8CVSS

7.3AI Score

0.002EPSS

2019-08-05 05:15 PM
50
cve
cve

CVE-2019-3801

Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the...

9.8CVSS

9.5AI Score

0.002EPSS

2019-04-25 09:29 PM
30
cve
cve

CVE-2019-3782

Cloud Foundry CredHub CLI, versions prior to 2.2.1, inadvertently writes authentication credentials provided via environment variables to its persistent config file. A local authenticated malicious user with access to the CredHub CLI config file can use these credentials to retrieve and modify...

7.8CVSS

7.5AI Score

0.0004EPSS

2019-02-13 04:29 PM
17
cve
cve

CVE-2018-15795

Pivotal CredHub Service Broker, versions prior to 1.1.0, uses a guessable form of random number generation in creating service broker's UAA client. A remote malicious user may guess the client secret and obtain or modify credentials for users of the CredHub...

8.1CVSS

8AI Score

0.001EPSS

2018-11-13 02:29 PM
42
cve
cve

CVE-2017-8038

In Cloud Foundry Foundation Credhub-release version 1.1.0, access control lists (ACLs) enforce whether an authenticated user can perform an operation on a credential. For installations using ACLs, the ACL was bypassed for the CredHub interpolate endpoint, allowing authenticated applications to...

8.8CVSS

8.5AI Score

0.001EPSS

2017-11-27 10:29 AM
25