CRITICAL🇬🇧 English

CVE-2016-6658

CVSS 9.6v3.0pub. 2018-03-29upd. 2024-11-21

Applications in cf-release before 245 can be configured and pushed with a user-provided custom buildpack using a URL pointing to the buildpack. Although it is not recommended, a user can specify a credential in the URL (basic auth or OAuth) to access the buildpack through the CLI. For example, the user could include a GitHub username and password in the URL to access a private repo. Because the URL to access the buildpack is stored unencrypted, an operator with privileged access to the Cloud Controller database could view these credentials.

oryginał EN
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
  • Cloudfoundry Cf Release

    APP
    Cloudfoundry
    < 245
  • Pivotal Software Cloud Foundry Elastic Runtime

    APP
    Pivotal Software
    < 1.6.491.7.0 – 1.7.31 (bez)1.8.0 – 1.8.11 (bez)
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2015-5171CRITICAL9.8ten sam produkt

The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivota...

CVE-2015-5172CRITICAL9.8ten sam produkt

Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime...

CVE-2016-8218CRITICAL9.8ten sam produkt

An issue was discovered in Cloud Foundry Foundation routing-release versions prior to 0.142.0 and cf-release v...

CVE-2016-6655CRITICAL9.8ten sam produkt

An issue was discovered in Cloud Foundry Foundation Cloud Foundry release versions prior to v245 and cf-mysql-...

CVE-2017-2773CRITICAL9.8ten sam produkt

An issue was discovered in Pivotal PCF Elastic Runtime 1.6.x versions prior to 1.6.60, 1.7.x versions prior to...