Cloud FoundryCFOUNDRY:9208D0C267D025E654FD6D6B008D009BCVE-2016-5006 Cloud Controller API logs user-provided service credentials | Cloud Foundry
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
64.7%
CVE-2016-5006 Cloud Controller API logs user-provided service credentials
High
Vendor
Cloud Foundry Foundation
Versions Affected
Cloud Foundry releases prior to v239
Description
When creating a user-provided service (UPS) in Cloud Foundry, the Cloud Controller logs the entire UPS object including the credentials provided by the user.
Mitigation
Users of affected versions should apply the following mitigation:
- The Cloud Foundry project recommends that users upgrade to Cloud Foundry v239 [1] or later
- Rotate all credentials associated with user-provided services for affected deployments. Refer to this document for more information.
References
[1] <https://github.com/cloudfoundry/cf-release/releases/tag/v239>
History
2016-07-26: Initial vulnerability report published
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
64.7%