CVE-2019-3800

MEDIUM

Pivotal Cloud Foundry Command Line Interface - Information Disclosure

Title source: rule

Description

CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials.

References (2)

[Vendor Advisory] https://pivotal.io/security/cve-2019-3800

[Vendor Advisory] https://www.cloudfoundry.org/blog/cve-2019-3800

Scores

CVSS v3 6.3

EPSS 0.0021

EPSS Percentile 42.5%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Classification

CWE

CWE-522 CWE-200

Status published

Affected Products (50)

pivotal/cloud_foundry_command_line_interface < 6.45.0

pivotal/cloud_foundry_command_line_interface_release < 1.16.0

pivotal/cloud_foundry_deployment < 10.0.0

pivotal/cloud_foundry_deployment_concourse_tasks < 9.3.0

pivotal/cloud_foundry_log_cache_release < 2.3.1

pivotal/cloud_foundry_networking_release < 2.23.0

pivotal/cloud_foundry_notifications < 58

pivotal/cloud_foundry_routing_release < 0.189.0

pivotal/cloud_foundry_smoke_test < 40.0.113

pivotal/application_service < 2.3.14

pivotal/cloud_foundry_autoscaling_release < 219

pivotal/cloud_foundry_event_alerts < 1.2.8

pivotal/cloud_foundry_healthwatch < 1.4.7

pivotal/credhub_service_broker_for_pcf < 1.3.2

pivotal/metric_registrar_release < 1.2

... and 35 more

Timeline

Published Aug 05, 2019

Tracked Since Feb 18, 2026