CVE-2021-22115 — Insufficiently Protected Credentials in Capi-release

CWE-522 — Insufficiently Protected Credentials3 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 55.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cloudfoundry Capi-release Cloudfoundry Cf-deployment

Timeline

PublishedApr 8

Latest updateMay 24

Description

Cloud Controller API versions prior to 1.106.0 logs service broker credentials if the default value of db logging config field is changed. CAPI database logs service broker password in plain text whenever a job to clean up orphaned items is run by Cloud Controller.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDcloudfoundry/capi-release< 1.106.0

▶NVDcloudfoundry/cf-deployment< 16.2.0

🔴Vulnerability Details

GHSA

GHSA-vhwm-f423-2fx6: Cloud Controller API versions prior to 1↗2022-05-24

▶

CVEList

CVE-2021-22115: Cloud Controller API versions prior to 1↗2021-04-08

▶