CVE-2018-15797 HIGH

CVE-2018-15797: NFS Volume release errand leaks cf admin credentials in logs

Vendor Cloud Foundry
Product NFS Volume Release
Published December 5, 2018
Last update September 16, 2024

CVSS base score

8.4/10
Attack vector Adjacent
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Cloud Foundry NFS volume release, 1.2.x prior to 1.2.5, 1.5.x prior to 1.5.4, 1.7.x prior to 1.7.3, logs the cf admin username and password when running the nfsbrokerpush BOSH deploy errand. A remote authenticated user with access to BOSH can obtain the admin credentials for the Cloud Foundry Platform through the logs of the NFS volume deploy errand.

Key dates

02Disclosure timeline

December 5, 2018 CVE published
September 16, 2024 Record updated