Cloud Foundry Logo
blog single gear
Security Advisory

CVE-2018-1231: BOSH CLI does not restrict access to configuration file

CVE-2018-1231: BOSH CLI does not restrict access to configuration file

Severity

Medium

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

  • You are using BOSH CLI version prior to v3.0.1

Description

Cloud Foundry BOSH CLI, versions prior to v3.0.1, contains an improper access control vulnerability. A user with access to an instance using the BOSH CLI can access the BOSH CLI configuration file and use its contents to perform authenticated requests to BOSH.

Mitigation

Users of affected versions should apply the following mitigations or upgrades:

  • Releases that have fixed this issue include:
    • BOSH CLI v3.0.1

Credit

This issue was responsibly reported by the VMware team.

History

2018-03-26: Initial vulnerability report published.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES