CredHub CLI writes environment variable credentials to disk
CVE-2019-3782

6.3MEDIUM

Key Information:

Vendor

Cloud Foundry

Status
Credhub Cli
Vendor
CVE Published:
13 February 2019

What is CVE-2019-3782?

Cloud Foundry CredHub CLI, versions prior to 2.2.1, inadvertently writes authentication credentials provided via environment variables to its persistent config file. A local authenticated malicious user with access to the CredHub CLI config file can use these credentials to retrieve and modify credentials stored in CredHub that are authorized to the targeted user.

Affected Version(s)

CredHub CLI All < 2.2.1

References

https://www.cloudfoundry.org/blog/cve-2019-3782
x_refsource_CONFIRM
http://www.securityfocus.com/bid/107038
vdb-entryx_refsource_BID

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

CVSS V3.0

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.