Cloud Foundry Logo
blog single gear
Security Advisory

CVE-2018-1191 – Garden may log Docker passwords

CVE-2018-1191 – Garden may log Docker passwords

Severity

High

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

  • You are using garden-runc-release prior to version 1.11.0
  • You are using cf-deployment prior to version 1.9.0

Description

Cloud Foundry Garden-runC, versions prior to 1.11.0, contains an information exposure vulnerability. A user with access to Garden logs may be able to obtain leaked credentials and perform authenticated actions using those credentials.

Mitigation

Users of affected versions should apply the following mitigations or upgrades:

  • Releases that have fixed this issue include:
    • garden-runc-release version 1.11.0
    • cf-deployment version 1.9.0

Credit

This issue was responsibly reported by the Garden team.

History

2018-03-28: Initial vulnerability report published.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES