CVE-2016-6658 — Sensitive Information Exposure in Cf-release

CWE-200 — Sensitive Information Exposure3 documents3 sources

Severity

9.6CRITICALNVD

EPSS

0.3%

top 47.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cloudfoundry Cf-release Pivotal Software Cloud Foundry Elastic Runtime

Timeline

PublishedMar 29

Latest updateMay 14

Description

Applications in cf-release before 245 can be configured and pushed with a user-provided custom buildpack using a URL pointing to the buildpack. Although it is not recommended, a user can specify a credential in the URL (basic auth or OAuth) to access the buildpack through the CLI. For example, the user could include a GitHub username and password in the URL to access a private repo. Because the URL to access the buildpack is stored unencrypted, an operator with privileged access to the Cloud Con…

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:NExploitability: 3.1 | Impact: 5.8

Affected Packages2 packages

▶NVDcloudfoundry/cf-release< 245

▶NVDpivotal_software/cloud_foundry_elastic_runtime1.7.0 — 1.7.31+2

🔴Vulnerability Details

GHSA

GHSA-5559-gfmr-27qq: Applications in cf-release before 245 can be configured and pushed with a user-provided custom buildpack using a URL pointing to the buildpack↗2022-05-14

▶

CVEList

CVE-2016-6658: Applications in cf-release before 245 can be configured and pushed with a user-provided custom buildpack using a URL pointing to the buildpack↗2018-03-29

▶