CVE-2019-3800
Summary
| CVE | CVE-2019-3800 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-08-05 17:15:00 UTC |
| Updated | 2019-10-09 23:49:00 UTC |
| Description | CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials. |
Risk And Classification
Problem Types: CWE-200
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Anynines | Elasticsearch | All | All | All | All |
| Application | Anynines | Elasticsearch | All | All | All | All |
| Application | Anynines | Logme | All | All | All | All |
| Application | Anynines | Logme | All | All | All | All |
| Application | Anynines | Mongodb | All | All | All | All |
| Application | Anynines | Mongodb | All | All | All | All |
| Application | Anynines | Mysql | All | All | All | All |
| Application | Anynines | Mysql | All | All | All | All |
| Application | Anynines | Postgresql | All | All | All | All |
| Application | Anynines | Postgresql | All | All | All | All |
| Application | Anynines | Rabbitmq | All | All | All | All |
| Application | Anynines | Rabbitmq | All | All | All | All |
| Application | Anynines | Redis | All | All | All | All |
| Application | Anynines | Redis | All | All | All | All |
| Application | Apigee | Edge Service Broker | All | All | All | All |
| Application | Apigee | Edge Service Broker | All | All | All | All |
| Application | Appdynamics | Application Analytics | All | All | All | All |
| Application | Appdynamics | Application Analytics | All | All | All | All |
| Application | Appdynamics | Application Performance Monitoring | All | All | All | All |
| Application | Appdynamics | Application Performance Monitoring | All | All | All | All |
| Application | Appdynamics | Platform Montioring | All | All | All | All |
| Application | Appdynamics | Platform Montioring | All | All | All | All |
| Application | Bluemedora | Nozzle | All | All | All | All |
| Application | Bluemedora | Nozzle | All | All | All | All |
| Application | Contrastsecurity | Service Broker | All | All | All | All |
| Application | Contrastsecurity | Service Broker | All | All | All | All |
| Application | Cyberark | Conjur Service Broker | All | All | All | All |
| Application | Cyberark | Conjur Service Broker | All | All | All | All |
| Application | Datadoghq | Application Monitoring | All | All | All | All |
| Application | Datadoghq | Application Monitoring | All | All | All | All |
| Application | Datastax | Enterprise Service Broker | All | All | All | All |
| Application | Datastax | Enterprise Service Broker | All | All | All | All |
| Application | Dynatrace | Service Broker | All | All | All | All |
| Application | Dynatrace | Service Broker | All | All | All | All |
| Application | Forgerock | Service Broker | All | All | All | All |
| Application | Forgerock | Service Broker | All | All | All | All |
| Application | Google Cloud Platform Service Broker | All | All | All | All | |
| Application | Google Cloud Platform Service Broker | All | All | All | All | |
| Application | Ibm | Websphere Liberty | All | All | All | All |
| Application | Ibm | Websphere Liberty | All | All | All | All |
| Application | Microsoft | Azure Log Analytics Nozzle | All | All | All | All |
| Application | Microsoft | Azure Log Analytics Nozzle | All | All | All | All |
| Application | Microsoft | Azure Service Broker | All | All | All | All |
| Application | Microsoft | Azure Service Broker | All | All | All | All |
| Application | Newrelic | Dotnet Extension Buildpack | All | All | All | All |
| Application | Newrelic | Dotnet Extension Buildpack | All | All | All | All |
| Application | Newrelic | Nozzle | All | All | All | All |
| Application | Newrelic | Nozzle | All | All | All | All |
| Application | Newrelic | Service Broker | All | All | All | All |
| Application | Newrelic | Service Broker | All | All | All | All |
| Application | Pagerduty | Service Broker | All | All | All | All |
| Application | Pagerduty | Service Broker | All | All | All | All |
| Application | Pivotal | Application Service | All | All | All | All |
| Application | Pivotal | Application Service | All | All | All | All |
| Application | Pivotal | Cloud Foundry Autoscaling Release | All | All | All | All |
| Application | Pivotal | Cloud Foundry Autoscaling Release | All | All | All | All |
| Application | Pivotal | Cloud Foundry Command Line Interface | All | All | All | All |
| Application | Pivotal | Cloud Foundry Command Line Interface | All | All | All | All |
| Application | Pivotal | Cloud Foundry Command Line Interface Release | All | All | All | All |
| Application | Pivotal | Cloud Foundry Command Line Interface Release | All | All | All | All |
| Application | Pivotal | Cloud Foundry Deployment | All | All | All | All |
| Application | Pivotal | Cloud Foundry Deployment | All | All | All | All |
| Application | Pivotal | Cloud Foundry Deployment Concourse Tasks | All | All | All | All |
| Application | Pivotal | Cloud Foundry Deployment Concourse Tasks | All | All | All | All |
| Application | Pivotal | Cloud Foundry Event Alerts | All | All | All | All |
| Application | Pivotal | Cloud Foundry Event Alerts | All | All | All | All |
| Application | Pivotal | Cloud Foundry Healthwatch | All | All | All | All |
| Application | Pivotal | Cloud Foundry Healthwatch | All | All | All | All |
| Application | Pivotal | Cloud Foundry Log Cache Release | All | All | All | All |
| Application | Pivotal | Cloud Foundry Log Cache Release | All | All | All | All |
| Application | Pivotal | Cloud Foundry Networking Release | All | All | All | All |
| Application | Pivotal | Cloud Foundry Networking Release | All | All | All | All |
| Application | Pivotal | Cloud Foundry Notifications | All | All | All | All |
| Application | Pivotal | Cloud Foundry Notifications | All | All | All | All |
| Application | Pivotal | Cloud Foundry Routing Release | All | All | All | All |
| Application | Pivotal | Cloud Foundry Routing Release | All | All | All | All |
| Application | Pivotal | Cloud Foundry Smoke Test | All | All | All | All |
| Application | Pivotal | Cloud Foundry Smoke Test | All | All | All | All |
| Application | Pivotal | Credhub Service Broker For Pcf | All | All | All | All |
| Application | Pivotal | Credhub Service Broker For Pcf | All | All | All | All |
| Application | Pivotal | Metric Registrar Release | All | All | All | All |
| Application | Pivotal | Metric Registrar Release | All | All | All | All |
| Application | Pivotal | On Demand Service Broker | All | All | All | All |
| Application | Pivotal | On Demand Service Broker | All | All | All | All |
| Application | Pivotal | Pivotal Cloud Foundry Service Broker | All | All | All | All |
| Application | Pivotal | Pivotal Cloud Foundry Service Broker | All | All | All | All |
| Application | Pivotal | Single Sign-on | All | All | All | All |
| Application | Pivotal | Single Sign-on | All | All | All | All |
| Application | Riverbed | Steelcentral Appinternals | All | All | All | All |
| Application | Riverbed | Steelcentral Appinternals | All | All | All | All |
| Application | Samba | Volume Service | All | All | All | All |
| Application | Samba | Volume Service | All | All | All | All |
| Application | Signalsciences | Service Broker | All | All | All | All |
| Application | Signalsciences | Service Broker | All | All | All | All |
| Application | Snyk | Service Broker | All | All | All | All |
| Application | Snyk | Service Broker | All | All | All | All |
| Application | Solace | Pubsub | All | All | All | All |
| Application | Solace | Pubsub | All | All | All | All |
| Application | Solace | Pubsub | All | All | All | All |
| Application | Splunk | Nozzle | All | All | All | All |
| Application | Splunk | Nozzle | All | All | All | All |
| Application | Sumologic | Nozzle | All | All | All | All |
| Application | Sumologic | Nozzle | All | All | All | All |
| Application | Synopsys | Seeker Iast Service Broker | All | All | All | All |
| Application | Synopsys | Seeker Iast Service Broker | All | All | All | All |
| Application | Tibco | Businessworks Buildpack | All | All | All | All |
| Application | Tibco | Businessworks Buildpack | All | All | All | All |
| Application | Wavefront | Wavefront By Vmware Nozzle | All | All | All | All |
| Application | Wavefront | Wavefront By Vmware Nozzle | All | All | All | All |
| Application | Yugabyte | Db Enterprise | All | All | All | All |
| Application | Yugabyte | Db Enterprise | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| CVE-2019-3800: CF CLI writes the client id and secret to config file | Security | VMware Tanzu | CONFIRM | pivotal.io | Vendor Advisory |
| CVE-2019-3800: CF CLI writes the client id and secret to config file | Cloud Foundry | CONFIRM | www.cloudfoundry.org | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.