Insufficiently Protected Credentials

CVE-2019-3800

Medium

6.3/10

Summary

CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials.

Attack Complexity: LOW
Attack Vector: LOCAL
Integrity Impact: LOW
Scope: CHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: LOW
Availability Impact: LOW

CWE-522 - Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

References

Advisory Timeline

Published Aug 05, 2019

Insufficiently Protected Credentials

CVE-2019-3800

Summary

CWE-522 - Insufficiently Protected Credentials

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS