CVE-2016-6638 Credential Vulnerability for Custom Buildpacks
Severity
Medium
Vendor
Cloud Foundry Foundation
Versions Affected
- cf-release versions prior to 245
- Please note: this CVE was intended to be fixed in cf-release 241 but it was discovered that the fix was incomplete, which was assigned CVE-2016-6658.
Description
Applications can be configured and pushed with a user-provided custom buildpack using a URL pointing to the buildpack. Although it is not recommended, a user can specify a credential in the URL (basic auth or OAuth) to access the buildpack through the CLI. For example, the user could include a GitHub username and password in the URL to access a private repo. Because the URL to access the buildpack is stored unencrypted, an operator with privileged access to the Cloud Controller database could view these credentials.
Mitigation
OSS users are strongly encouraged to follow one of the mitigations below:
- Upgrade to the latest version of cf-release [1]
Credit
Cloud Foundry Cloud Controller Team
References
History
2016-09-07: Initial vulnerability report finalized
2017-08-16: Initial vulnerability report published
