Main Vulnerability Database SB2019120414

SB2019120414 - Information disclosure in Cloud Foundry UAA and CF Deployment

Published: December 4, 2019 Updated: December 4, 2019

Security Bulletin ID SB2019120414

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Credentials management (CVE-ID: CVE-2019-11293)

The vulnerability allows a remote user to access sensitive information on a targeted system.

The vulnerability exists due to logs client_secret credentials are sent as a query param, when set to logging level DEBUG. A remote user can gain access to user credentials via the "uaa.log" file if authentication is provided via query parameters.

Remediation

Install update from vendor's website.

References

https://www.cloudfoundry.org/blog/cve-2019-11293/