Cloud Foundry Logo
blog single gear
Blog
Security Advisory

CVE-2016-5006 Cloud Controller API logs user-provided service credentials

by: July 26, 2016

CVE-2016-5006 Cloud Controller API logs user-provided service credentials

Severity

High

Vendor

Cloud Foundry Foundation

Versions Affected

Cloud Foundry releases prior to v239

Description

When creating a user-provided service (UPS) in Cloud Foundry, the Cloud Controller logs the entire UPS object including the credentials provided by the user.

Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry project recommends that users upgrade to Cloud Foundry v239 [1] or later
  • Rotate all credentials associated with user-provided services for affected deployments. Refer to this document for more information.

References

History

2016-07-26: Initial vulnerability report published

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES

You Might Also Like

USN-2810-1 Kerberos vulnerability
Security Advisory

USN-2810-1 Kerberos vulnerability

by Cloud Foundry Foundation Security Team December 2, 2015
USN-3410-1: GD library vulnerability
Security Advisory

USN-3410-1: GD library vulnerability

by Cloud Foundry Foundation Security Team September 21, 2017
USN-3840-1: OpenSSL vulnerabilities
Security Advisory

USN-3840-1: OpenSSL vulnerabilities

by Cloud Foundry Foundation Security Team December 27, 2018
This website uses cookies to offer you a better browsing experience. Find out more about how we use cookies and how you can change your settings. Accept