CVE-2016-5006 Cloud Controller API logs user-provided service credentials


Share

CVE-2016-5006 Cloud Controller API logs user-provided service credentials

Severity

High

Vendor

Cloud Foundry Foundation

Versions Affected

Cloud Foundry releases prior to v239

Description

When creating a user-provided service (UPS) in Cloud Foundry, the Cloud Controller logs the entire UPS object including the credentials provided by the user.

Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry project recommends that users upgrade to Cloud Foundry v239 [1] or later
  • Rotate all credentials associated with user-provided services for affected deployments. Refer to this document for more information.

References

History

2016-07-26: Initial vulnerability report published

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES