Invocation of Process Using Visible Sensitive Information

CVE-2020-5422

Medium

6.5/10

Summary

BOSH System Metrics Server releases prior to 0.1.0 exposed the UAA password as a flag to a process running on the BOSH director. It exposed the password to any user or process with access to the same VM (through ps or looking at process details).

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-214 - Invocation of Process Using Visible Sensitive Information

A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system.

References

Advisory Timeline

Published Oct 02, 2020

Invocation of Process Using Visible Sensitive Information

CVE-2020-5422

Summary

CWE-214 - Invocation of Process Using Visible Sensitive Information

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS