CVE-2019-3800

EPSS 0.21%
Published 05.08.2019 17:15:10
Last modified 21.11.2024 04:42:33
Source security_alert@emc.com
Teams watchlist Login
Open Login

CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials.

Affected products Warnungen 0 Metrics 4 CWE 2 References 5

Data is provided by the National Vulnerability Database (NVD)

Pivotal ≫ Cloud Foundry Command Line Interface Version < 6.45.0

Pivotal ≫ Cloud Foundry Command Line Interface Release Version < 1.16.0

Pivotal ≫ Cloud Foundry Deployment Version < 10.0.0

Pivotal ≫ Cloud Foundry Deployment Concourse Tasks Version < 9.3.0

Pivotal ≫ Cloud Foundry Log Cache Release Version < 2.3.1

Pivotal ≫ Cloud Foundry Networking Release Version < 2.23.0

Pivotal ≫ Cloud Foundry Notifications Version < 58

Pivotal ≫ Cloud Foundry Routing Release Version < 0.189.0

Pivotal ≫ Cloud Foundry Smoke Test Version < 40.0.113

Pivotal ≫ Application Service Version >= 2.3.0 < 2.3.14

Pivotal ≫ Application Service Version >= 2.4.0 < 2.4.10

Pivotal ≫ Application Service Version >= 2.5.0 < 2.5.6

Pivotal ≫ Cloud Foundry Autoscaling Release Version < 219

Pivotal ≫ Cloud Foundry Event Alerts Version < 1.2.8

Pivotal ≫ Cloud Foundry Healthwatch Version >= 1.4.0 < 1.4.7

Pivotal ≫ Cloud Foundry Healthwatch Version >= 1.5.0 < 1.5.4

Pivotal ≫ Credhub Service Broker For Pcf Version < 1.3.2

Pivotal ≫ Metric Registrar Release Version < 1.2

Pivotal ≫ On Demand Service Broker Version < 0.29.0

Pivotal ≫ Pivotal Cloud Foundry Service Broker SwPlatformaws Version < 1.4.13

Pivotal ≫ Single Sign-on SwPlatformcloud_foundry Version >= 1.7.0 < 1.7.5

Pivotal ≫ Single Sign-on SwPlatformcloud_foundry Version >= 1.8.0 < 1.8.4

Pivotal ≫ Single Sign-on SwPlatformcloud_foundry Version >= 1.9.0 < 1.9.1

Anynines ≫ Elasticsearch SwPlatformpivotal_cloud_foundry Version < 2.1.2

Anynines ≫ Logme SwPlatformpivotal_cloud_foundry Version < 2.1.2

Anynines ≫ Mongodb SwPlatformpivotal_cloud_foundry Version < 2.1.2

Anynines ≫ Mysql SwPlatformpivotal_cloud_foundry Version < 2.1.2

Anynines ≫ Postgresql SwPlatformpivotal_cloud_foundry Version < 2.1.2

Anynines ≫ Rabbitmq SwPlatformpivotal_cloud_foundry Version < 2.1.2

Anynines ≫ Redis SwPlatformpivotal_cloud_foundry Version < 2.1.2

Apigee ≫ Edge Service Broker SwPlatformpivotal_cloud_foundry Version < 3.1.3

Appdynamics ≫ Application Analytics SwPlatformpivotal_cloud_foundry Version < 4.7.652

Appdynamics ≫ Application Performance Monitoring SwPlatformpivotal_cloud_foundry Version < 4.6.64

Appdynamics ≫ Platform Montioring SwPlatformpivotal_cloud_foundry Version < 4.7.712

Bluemedora ≫ Nozzle SwPlatformpivotal_cloud_foundry Version < 3.1.1

Contrastsecurity ≫ Service Broker SwPlatformpivotal_cloud_foundry Version < 2.2.0

Cyberark ≫ Conjur Service Broker SwPlatformpivotal_cloud_foundry Version < 1.1.1

Datadoghq ≫ Application Monitoring SwPlatformpivotal_cloud_foundry Version < 1.7.0

Datastax ≫ Enterprise Service Broker SwPlatformpivotal_cloud_foundry Version < 1.0.2

Dynatrace ≫ Service Broker SwPlatformpivotal_cloud_foundry Version < 1.4.2

Forgerock ≫ Service Broker SwPlatformpivotal_cloud_foundry Version < 2.1.2

Google ≫ Google Cloud Platform Service Broker SwPlatformpivotal_cloud_foundry Version < 4.2.3

Ibm ≫ Websphere Liberty SwPlatformpivotal_cloud_foundry Version < 3.11.0

Microsoft ≫ Azure Log Analytics Nozzle SwPlatformpivotal_cloud_foundry Version < 1.4.1

Microsoft ≫ Azure Service Broker SwPlatformpivotal_cloud_foundry Version < 1.4.1

Newrelic ≫ Dotnet Extension Buildpack SwPlatformpivotal_cloud_foundry Version < 1.1.1

Newrelic ≫ Nozzle SwPlatformpivotal_cloud_foundry Version < 1.1.17

Newrelic ≫ Service Broker SwPlatformpivotal_cloud_foundry Version < 1.12.64

Pagerduty ≫ Service Broker SwPlatformpivotal_cloud_foundry Version < 1.2.4

Riverbed ≫ Steelcentral Appinternals SwPlatformpivotal_cloud_foundry Version < 10.21.1-bl516

Samba ≫ Volume Service SwPlatformpivotal_cloud_foundry Version < 1.1.1

Signalsciences ≫ Service Broker SwPlatformpivotal_cloud_foundry Version < 1.1.0

Snyk ≫ Service Broker SwPlatformpivotal_cloud_foundry Version < 1.0.3

Solace ≫ Pubsub+ SwPlatformpivotal_cloud_foundry Version < 2.3.2

Splunk ≫ Nozzle SwPlatformpivotal_cloud_foundry Version < 1.1.1

Sumologic ≫ Nozzle SwPlatformpivotal_cloud_foundry Version < 1.0.1

Synopsys ≫ Seeker Iast Service Broker SwPlatformpivotal_cloud_foundry Version < 1.2.14

Tibco ≫ Businessworks Buildpack SwEditioncontainer SwPlatformpivotal_cloud_foundry Version < 2.4.4

Wavefront ≫ Wavefront By Vmware Nozzle SwPlatformpivotal_cloud_foundry Version < 1.0.2

Yugabyte ≫ Db Enterprise SwPlatformpivotal_cloud_foundry Version < 1.1.8

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.21%	0.428

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	2.1	3.9	2.9	AV:L/AC:L/Au:N/C:P/I:N/A:N
security_alert@emc.com	6.3	2	3.7	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-522 Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

https://pivotal.io/security/cve-2019-3800

Vendor Advisory

https://www.cloudfoundry.org/blog/cve-2019-3800

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-3800

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-3800

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-3800

EUVD