CVE-2019-3781: CF CLI does not sanitize user’s password in verbose/trace/debug

Severity

High

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

Severity is high unless otherwise noted.

• CF CLI
  • All versions prior to v6.43.0
• CF CLI Release
  • All versions prior to v1.13.0
• CF Networking Release
  • All versions Prior to v2.23.0
• CF Routing Release
  • All versions Prior to v0.189.0
• CF Smoke Tests
  • All versions Prior to v40.0.113
• CF Deployment
  • All versions Prior to v10.0.0
• CF Deployment Concourse Tasks
  • All versions Prior to v9.3.0
• CF Log Cache Release
  • All versions Prior to v2.3.1
• CF Notifications
  • All versions Prior to v58

Description

CF CLI versions prior to v6.43.0, and CF CLI Release versions prior to v1.13.0, improperly expose passwords when verbose/trace/debugging is turned on. A local unauthenticated or remote authenticated malicious user with access to logs may gain part or all of a users password.

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

• CF CLI
  • Upgrade all versions to v6.43.0 or greater
• CF CLI Release
  • Upgrade all versions to v1.13.0 or greater
• CF Networking Release
  • Upgrade all versions to v2.23.0 or greater
• CF Routing Release
  • Upgrade all versions to v0.189.0 or greater
• CF Smoke Tests
  • Upgrade all versions to v40.0.113 or greater
• CF Deployment
  • Upgrade all versions to v10.0.0 or greater
• CF Deployment Concourse Tasks
  • Upgrade all versions to v9.3.0 or greater
• CF Log Cache Release
  • Upgrade all versions to v2.3.1 or greater
• CF Notifications
  • Upgrade all versions to v58 or greater

History

2019-02-25: Initial vulnerability report published.

2019-04-03: Details about CF CLI Release added.

2019-07-24: Add additional affected products and mitigation steps.

2019-07-26: Add CF Deployment Concourse Tasks to the list.