CVE-2019-3780 CRITICAL

CVE-2019-3780: Cloud Foundry Container Runtime Leaks IAAS Credentials

Vendor Cloud Foundry
Product Cloud Foundry Container Runtime (CFCR)
Weakness CWE-260
Published March 8, 2019
Last update September 16, 2024

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Cloud Foundry Container Runtime, versions prior to 0.28.0, deploys K8s worker nodes that contains a configuration file with IAAS credentials. A malicious user with access to the k8s nodes can obtain IAAS credentials allowing the user to escalate privileges to gain access to the IAAS account.

Key dates

02Disclosure timeline

March 8, 2019 CVE published
September 16, 2024 Record updated