CVE-2019-3800

MEDIUM

Cloud Foundry Command Line Interface < 6.45.0 - Insufficiently Protected Credentials in Config File

Title source: llm

Description

CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://www.cloudfoundry.org/blog/cve-2019-3800

Vendor Advisory x_refsource_confirm

https://pivotal.io/security/cve-2019-3800

Scores

CVSS v3 6.3

EPSS 0.0028

EPSS Percentile 51.3%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Details

CWE

CWE-522 CWE-200

Status published

Products (50)

anynines/elasticsearch < 2.1.2

anynines/logme < 2.1.2

anynines/mongodb < 2.1.2

anynines/mysql < 2.1.2

anynines/postgresql < 2.1.2

anynines/rabbitmq < 2.1.2

anynines/redis < 2.1.2

apigee/edge_service_broker < 3.1.3

appdynamics/application_analytics < 4.7.652

appdynamics/application_performance_monitoring < 4.6.64

... and 40 more

Published Aug 05, 2019

Tracked Since Feb 18, 2026