CF CLI writes the client id and secret to config file
CVE-2019-3800

6.3MEDIUM

Key Information:

Vendor

Cloud Foundry

Status
Cf Cli Release
Cf Cli
Vendor
CVE Published:
5 August 2019

What is CVE-2019-3800?

CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials.

Affected Version(s)

CF CLI versions prior to v6.45.0

CF CLI Release v1.x before v1.16.0

References

https://www.cloudfoundry.org/blog/cve-2019-3800
x_refsource_CONFIRM
https://pivotal.io/security/cve-2019-3800
x_refsource_CONFIRM

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

CVSS V3.0

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.