Description
BOSH System Metrics Server releases prior to 0.1.0 exposed the UAA password as a flag to a process running on the BOSH director. It exposed the password to any user or process with access to the same VM (through ps or looking at process details).
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://www.cloudfoundry.org/blog/cve-2020-5422
Scores
CVSS v3
6.5
EPSS
0.0091
EPSS Percentile
55.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-214
CWE-668
Status
published
Products (1)
cloud_foundry/bosh_system_metrics_server
< 0.1.0
Published
Oct 02, 2020
Tracked Since
Feb 18, 2026