CVE-2019-3780

Published: Mar 8, 2019Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Cloud Foundry Container Runtime, versions prior to 0.28.0, deploys K8s worker nodes that contains a configuration file with IAAS credentials. A malicious user with access to the k8s nodes can obtain IAAS credentials allowing the user to escalate privileges to gain access to the IAAS account.

Affected (1)

Products: Cloudfoundry: Container Runtime

1 product

Container Runtime

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Cloudfoundry Container Runtime	Before 0.28.0

Related CWEs

Password in Configuration File

The product stores a password in a configuration file that might be accessible to actors who do not know the password.

Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

References (4)

http://www.securityfocus.com/bid/107434

Source: security_alert@emc.com

Third Party AdvisoryVDB Entry

https://www.cloudfoundry.org/blog/cve-2019-3780

Source: security_alert@emc.com

Vendor Advisory

http://www.securityfocus.com/bid/107434

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://www.cloudfoundry.org/blog/cve-2019-3780

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.