Severity

MEDIUM

CVSSv4: Medium 4.3 (CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:L)

CVSSv3: Medium 5.8 (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:L) 

Vendor

Cloud Foundry Foundation

Versions Affected

*Severity is MEDIUM unless otherwise noted.

BOSH Director

– All versions prior to v282.1.12 

Description

When the director sends a long-running request (e.g. compile_package), the agent’s reply JSON is consumed by AgentClient. inject_compile_log (line 332-339) reads response[‘value’][‘result’][‘compile_log_id’] and format_exception (line 318-325) reads exception[‘blobstore_id’]; both pass the agent-supplied string unmodified to download_and_delete_blob(blob_id) (line 344-349), which calls @resource_manager.get_resource(blob_id) and, in an ensure block, @resource_manager.delete_resource(blob_id). Api::ResourceManager forwards the id straight to blobstore.get(id) / blobstore.delete(id). When the director is configured with the local blobstore provider, 

Blobstore::LocalClient#object_file_path(oid) is 

File.join(@blobstore_path, oid) (local_client.rb:54-56) with no normalisation, so oid = “../../jobs/director/config/director.yml” resolves outside the blobstore root.

get_filecopies that file’s bytes out, and delete_object runs FileUtils.rm on it. Exploit scenario 

An attacker who has code execution on any BOSH-managed VM replaces or MITMs the bosh-agent reply for an in-flight compile_package task, returning 

JSON 

{“value”:{“result”: 

{“compile_log_id”:“../../jobs/director/config/director.yml”, …} }} 

The director worker calls 

download_and_delete_blob(“../../jobs/director/config/director.yml”): with a local blobstore at /var/vcap/store/blobstore, get_resource copies /var/vcap/store/jobs/director/config/director.yml (or any chosen path via enough ../) into the compile log stored in task output, and the ensure block then FileUtils.rms the original file on the director. Repeating with different paths lets the attacker exfiltrate secrets and brick the director. 

Preconditions 

• Director configured with provider: local blobstore (common in bosh-lite / some on-prem installs; s3/gcs/dav clients pass the id as a CLI arg and are not path-joined) ● Attacker controls a managed VM’s agent responses (root on a deployed instance, or ability to publish on that agent’s NATS reply subject) 

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below.

The Cloud Foundry project recommends upgrading the following releases:

BOSH Director

– Upgrade BOSH Director versions to v282.1.12 or greater

Immediate Workarounds

– Monitor BOSH Director task logs for unusual file access patterns

– Implement network segmentation to limit VM communication channels

– Review and restrict NATS topic permissions where possible

Credit

n/a

History

Initial vulnerability report published May 26th 2026