CVE-2019-3800

CVSS v3 6.3 MEDIUM
CVSS v2.0 2.1 LOW

6.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector : AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Exploitability : 2.0 / Impact : 3.7

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

2.1^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

F CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials.

References

Link	Resource
https://pivotal.io/security/cve-2019-3800	Vendor Advisory
https://www.cloudfoundry.org/blog/cve-2019-3800	Vendor Advisory
https://pivotal.io/security/cve-2019-3800	Vendor Advisory
https://www.cloudfoundry.org/blog/cve-2019-3800	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:pivotal:cloud_foundry_command_line_interface::::::::
	cpe:2.3:a:pivotal:cloud_foundry_command_line_interface_release::::::::
	cpe:2.3:a:pivotal:cloud_foundry_deployment::::::::
	cpe:2.3:a:pivotal:cloud_foundry_deployment_concourse_tasks::::::::
	cpe:2.3:a:pivotal:cloud_foundry_log_cache_release::::::::
	cpe:2.3:a:pivotal:cloud_foundry_networking_release::::::::
	cpe:2.3:a:pivotal:cloud_foundry_notifications::::::::
	cpe:2.3:a:pivotal:cloud_foundry_routing_release::::::::
	cpe:2.3:a:pivotal:cloud_foundry_smoke_test::::::::

Configuration 2 (hide)

OR	cpe:2.3:a:pivotal:application_service::::::::
	cpe:2.3:a:pivotal:application_service::::::::
	cpe:2.3:a:pivotal:application_service::::::::
	cpe:2.3:a:pivotal:cloud_foundry_autoscaling_release::::::::
	cpe:2.3:a:pivotal:cloud_foundry_event_alerts::::::::
	cpe:2.3:a:pivotal:cloud_foundry_healthwatch::::::::
	cpe:2.3:a:pivotal:cloud_foundry_healthwatch::::::::
	cpe:2.3:a:pivotal:credhub_service_broker_for_pcf::::::::
	cpe:2.3:a:pivotal:metric_registrar_release::::::::
	cpe:2.3:a:pivotal:on_demand_service_broker::::::::
	cpe:2.3:a:pivotal:pivotal_cloud_foundry_service_broker::::::aws::*
	cpe:2.3:a:pivotal:single_sign-on::::::cloud_foundry::*
	cpe:2.3:a:pivotal:single_sign-on::::::cloud_foundry::*
	cpe:2.3:a:pivotal:single_sign-on::::::cloud_foundry::*

Configuration 3 (hide)

OR	cpe:2.3:a:anynines:elasticsearch::::::pivotal_cloud_foundry::*
	cpe:2.3:a:anynines:logme::::::pivotal_cloud_foundry::*
	cpe:2.3:a:anynines:mongodb::::::pivotal_cloud_foundry::*
	cpe:2.3:a:anynines:mysql::::::pivotal_cloud_foundry::*
	cpe:2.3:a:anynines:postgresql::::::pivotal_cloud_foundry::*
	cpe:2.3:a:anynines:rabbitmq::::::pivotal_cloud_foundry::*
	cpe:2.3:a:anynines:redis::::::pivotal_cloud_foundry::*
	cpe:2.3:a:apigee:edge_service_broker::::::pivotal_cloud_foundry::*
	cpe:2.3:a:appdynamics:application_analytics::::::pivotal_cloud_foundry::*
	cpe:2.3:a:appdynamics:application_performance_monitoring::::::pivotal_cloud_foundry::*
	cpe:2.3:a:appdynamics:platform_montioring::::::pivotal_cloud_foundry::*
	cpe:2.3:a:bluemedora:nozzle::::::pivotal_cloud_foundry::*
	cpe:2.3:a:contrastsecurity:service_broker::::::pivotal_cloud_foundry::*
	cpe:2.3:a:cyberark:conjur_service_broker::::::pivotal_cloud_foundry::*
	cpe:2.3:a:datadoghq:application_monitoring::::::pivotal_cloud_foundry::*
	cpe:2.3:a:datastax:enterprise_service_broker::::::pivotal_cloud_foundry::*
	cpe:2.3:a:dynatrace:service_broker::::::pivotal_cloud_foundry::*
	cpe:2.3:a:forgerock:service_broker::::::pivotal_cloud_foundry::*
	cpe:2.3:a:google:google_cloud_platform_service_broker::::::pivotal_cloud_foundry::*
	cpe:2.3:a:ibm:websphere_liberty_::::::pivotal_cloud_foundry::*
	cpe:2.3:a:microsoft:azure_log_analytics_nozzle::::::pivotal_cloud_foundry::*
	cpe:2.3:a:microsoft:azure_service_broker::::::pivotal_cloud_foundry::*
	cpe:2.3:a:newrelic:dotnet_extension_buildpack::::::pivotal_cloud_foundry::*
	cpe:2.3:a:newrelic:nozzle::::::pivotal_cloud_foundry::*
	cpe:2.3:a:newrelic:service_broker::::::pivotal_cloud_foundry::*
	cpe:2.3:a:pagerduty:service_broker::::::pivotal_cloud_foundry::*
	cpe:2.3:a:riverbed:steelcentral_appinternals::::::pivotal_cloud_foundry::*
	cpe:2.3:a:samba:volume_service::::::pivotal_cloud_foundry::*
	cpe:2.3:a:signalsciences:service_broker::::::pivotal_cloud_foundry::*
	cpe:2.3:a:snyk:service_broker::::::pivotal_cloud_foundry::*
	cpe:2.3:a:solace:pubsub\+::::::pivotal_cloud_foundry::*
	cpe:2.3:a:splunk:nozzle::::::pivotal_cloud_foundry::*
	cpe:2.3:a:sumologic:nozzle::::::pivotal_cloud_foundry::*
	cpe:2.3:a:synopsys:seeker_iast_service_broker::::::pivotal_cloud_foundry::*
	cpe:2.3:a:tibco:businessworks_buildpack:::::container:pivotal_cloud_foundry::
	cpe:2.3:a:wavefront:wavefront_by_vmware_nozzle::::::pivotal_cloud_foundry::*
	cpe:2.3:a:yugabyte:db_enterprise::::::pivotal_cloud_foundry::*

History

21 Nov 2024, 04:42

Type	Values Removed	Values Added
CVSS	v2 : ~~2.1~~ v3 : ~~7.8~~	v2 : 2.1 v3 : 6.3
References	~~() https://pivotal.io/security/cve-2019-3800 - Vendor Advisory~~	() https://pivotal.io/security/cve-2019-3800 - Vendor Advisory
References	~~() https://www.cloudfoundry.org/blog/cve-2019-3800 - Vendor Advisory~~	() https://www.cloudfoundry.org/blog/cve-2019-3800 - Vendor Advisory