Vulnerability Details : CVE-2019-3782
Cloud Foundry CredHub CLI, versions prior to 2.2.1, inadvertently writes authentication credentials provided via environment variables to its persistent config file. A local authenticated malicious user with access to the CredHub CLI config file can use these credentials to retrieve and modify credentials stored in CredHub that are authorized to the targeted user.
Products affected by CVE-2019-3782
- cpe:2.3:a:cloudfoundry:credhub_cli:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-3782
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-3782
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:N |
3.9
|
2.9
|
NIST | |
6.3
|
MEDIUM | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L |
2.0
|
3.7
|
Dell | |
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2019-3782
-
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.Assigned by:
- nvd@nist.gov (Primary)
- security_alert@emc.com (Secondary)
References for CVE-2019-3782
-
https://www.cloudfoundry.org/blog/cve-2019-3782
CVE-2019-3782: CredHub CLI writes environment variable credentials to disk | Cloud FoundryVendor Advisory
-
http://www.securityfocus.com/bid/107038
Cloud Foundry CredHub CLI CVE-2019-3782 Arbitrary File Write VulnerabilityThird Party Advisory;VDB Entry
Jump to