CVE-2019-3800

CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials.

Link	Resource
https://pivotal.io/security/cve-2019-3800	Vendor Advisory
https://www.cloudfoundry.org/blog/cve-2019-3800	Vendor Advisory

Configuration 1

cpe:2.3:a:pivotal:cloud_foundry_notifications:*:*:*:*:*:*:*:* cpe:2.3:a:pivotal:cloud_foundry_log_cache_release:*:*:*:*:*:*:*:* cpe:2.3:a:pivotal:cloud_foundry_deployment_concourse_tasks:*:*:*:*:*:*:*:* cpe:2.3:a:pivotal:cloud_foundry_deployment:*:*:*:*:*:*:*:* cpe:2.3:a:pivotal:cloud_foundry_smoke_test:*:*:*:*:*:*:*:* cpe:2.3:a:pivotal:cloud_foundry_routing_release:*:*:*:*:*:*:*:* cpe:2.3:a:pivotal:cloud_foundry_networking_release:*:*:*:*:*:*:*:* cpe:2.3:a:pivotal:cloud_foundry_command_line_interface_release:*:*:*:*:*:*:*:* cpe:2.3:a:pivotal:cloud_foundry_command_line_interface:*:*:*:*:*:*:*:* cpe:2.3:a:pivotal:pivotal_cloud_foundry_service_broker:*:*:*:*:*:aws:*:* cpe:2.3:a:pivotal:on_demand_service_broker:*:*:*:*:*:*:*:* cpe:2.3:a:pivotal:metric_registrar_release:*:*:*:*:*:*:*:* cpe:2.3:a:pivotal:credhub_service_broker_for_pcf:*:*:*:*:*:*:*:* cpe:2.3:a:pivotal:cloud_foundry_autoscaling_release:*:*:*:*:*:*:*:* cpe:2.3:a:pivotal:cloud_foundry_event_alerts:*:*:*:*:*:*:*:* cpe:2.3:a:pivotal:application_service:*:*:*:*:*:*:*:* cpe:2.3:a:pivotal:application_service:*:*:*:*:*:*:*:* cpe:2.3:a:pivotal:application_service:*:*:*:*:*:*:*:* cpe:2.3:a:pivotal:cloud_foundry_healthwatch:*:*:*:*:*:*:*:* cpe:2.3:a:pivotal:cloud_foundry_healthwatch:*:*:*:*:*:*:*:* cpe:2.3:a:pivotal:single_sign-on:*:*:*:*:*:cloud_foundry:*:* cpe:2.3:a:pivotal:single_sign-on:*:*:*:*:*:cloud_foundry:*:* cpe:2.3:a:pivotal:single_sign-on:*:*:*:*:*:cloud_foundry:*:* cpe:2.3:a:apigee:edge_service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:newrelic:dotnet_extension_buildpack:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:microsoft:azure_service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:appdynamics:application_analytics:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:appdynamics:application_performance_monitoring:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:appdynamics:platform_montioring:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:bluemedora:nozzle:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:contrastsecurity:service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:cyberark:conjur_service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:datadoghq:application_monitoring:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:datastax:enterprise_service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:dynatrace:service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:forgerock:service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:google:google_cloud_platform_service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:ibm:websphere_liberty_:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:microsoft:azure_log_analytics_nozzle:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:newrelic:nozzle:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:newrelic:service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:pagerduty:service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:riverbed:steelcentral_appinternals:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:signalsciences:service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:wavefront:wavefront_by_vmware_nozzle:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:tibco:businessworks_buildpack:*:*:*:*:container:pivotal_cloud_foundry:*:* cpe:2.3:a:solace:pubsub+:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:snyk:service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:samba:volume_service:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:splunk:nozzle:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:sumologic:nozzle:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:synopsys:seeker_iast_service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:yugabyte:db_enterprise:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:anynines:elasticsearch:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:anynines:logme:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:anynines:mysql:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:anynines:postgresql:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:anynines:rabbitmq:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:anynines:redis:*:*:*:*:*:pivotal_cloud_foundry:*:* cpe:2.3:a:anynines:mongodb:*:*:*:*:*:pivotal_cloud_foundry:*:*

---

Published : 2019-08-05 05:15

Updated : 2019-10-09 11:49

---

NVD link : CVE-2019-3800

Mitre link : CVE-2019-3800

Db Enterprise

Yugabyte

CWE-200