CVE-2019-3800
published 2019-08-05CVE-2019-3800: CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with…
PriorityP341high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
EPSS
2.09%
79.3th percentile
CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials.
Affected
62 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| anynines | elasticsearch | < 2.1.2 | 2.1.2 |
| anynines | logme | < 2.1.2 | 2.1.2 |
| anynines | mongodb | < 2.1.2 | 2.1.2 |
| anynines | mysql | < 2.1.2 | 2.1.2 |
| anynines | postgresql | < 2.1.2 | 2.1.2 |
| anynines | rabbitmq | < 2.1.2 | 2.1.2 |
| anynines | redis | < 2.1.2 | 2.1.2 |
| apigee | edge_service_broker | < 3.1.3 | 3.1.3 |
| appdynamics | application_analytics | < 4.7.652 | 4.7.652 |
| appdynamics | application_performance_monitoring | < 4.6.64 | 4.6.64 |
| appdynamics | platform_montioring | < 4.7.712 | 4.7.712 |
| bluemedora | nozzle | < 3.1.1 | 3.1.1 |
| cloud_foundry | cf_cli | — | — |
| cloud_foundry | cf_cli_release | — | — |
| contrastsecurity | service_broker | < 2.2.0 | 2.2.0 |
| cyberark | conjur_service_broker | < 1.1.1 | 1.1.1 |
| datadoghq | application_monitoring | < 1.7.0 | 1.7.0 |
| datastax | enterprise_service_broker | < 1.0.2 | 1.0.2 |
| dynatrace | service_broker | < 1.4.2 | 1.4.2 |
| forgerock | service_broker | < 2.1.2 | 2.1.2 |
| google_cloud_platform_service_broker | < 4.2.3 | 4.2.3 | |
| ibm | websphere_liberty | < 3.11.0 | 3.11.0 |
| microsoft | azure_log_analytics_nozzle | < 1.4.1 | 1.4.1 |
| microsoft | azure_service_broker | < 1.4.1 | 1.4.1 |
| newrelic | dotnet_extension_buildpack | < 1.1.1 | 1.1.1 |
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2019-08-05
Published