CVE-2019-3781: CF CLI does not sanitize user’s password in verbose/trace/debug

By: | February 25, 2019

Share

CVE-2019-3781: CF CLI does not sanitize user’s password in verbose/trace/debug

Severity

High

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

  • CF CLI
    • All versions prior to v6.43.0

Description

CF CLI versions prior to v6.43.0 improperly exposes passwords when verbose/trace/debugging is turned on. A local unauthenticated or remote authenticated malicious user with access to logs may gain part or all of a users password.

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

  • CF CLI
    • Upgrade All versions to v6.43.0 or greater

Credit

This issue was responsibly reported by Swisscom.

History

2019-02-25: Initial vulnerability report published.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES