Cloud Foundry Logo
blog single gear
Security Advisory

CVE-2020-5400: Cloud Controller logs environment variables from app manifests




Cloud Foundry Foundation


Cloud Foundry Cloud Controller (CAPI), versions prior to 1.91.0, logs properties of background jobs when they are run, which may include sensitive information such as credentials if provided to the job. A malicious user with access to those logs may gain unauthorized access to resources protected by such credentials.

Affected Cloud Foundry Products and Versions

Severity is high unless otherwise noted.

  • CAPI
    • All versions prior to 1.91.0
  • CF Deployment
    • All versions prior to v12.33.0


Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

  • CAPI
    • Upgrade all versions to 1.91.0 or greater
  • CF Deployment
    • Upgrade all versions to v12.33.0 or greater

Relevant log lines include the text “about to run job”. Operators should inform developers to rotate any credentials that are found there. Examples include service credentials provided to service broker jobs and environment variables provided to apps deployed using server-side manifests (such as by cf v3-apply-manifest or cf7 push).


This issue was responsibly reported by Miki Mokrysz of the GOV.UK PaaS team.


2020-02-24: Initial vulnerability report published.

2020-02-26: More detailed mitigation steps added.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR