Skip to main content

Insufficiently Protected Credentials

CVE-2019-3800

Severity Medium
Score 6.3/10

Summary

CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials.

  • LOW
  • LOCAL
  • LOW
  • CHANGED
  • NONE
  • LOW
  • LOW
  • LOW

CWE-522 - Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

References

Advisory Timeline

  • Published