CVE-2017-8038: Credentials readable from CredHub endpoint

Severity

High

Vendor

Cloud Foundry Foundation

Versions Affected

Credhub-release version 1.1.0 only

Description

CredHub access control lists (ACLs) enforce whether an authenticated user can perform an operation on a credential. For installations using ACLs, the ACL was bypassed for the CredHub interpolate endpoint, allowing authenticated applications to view any credential within the CredHub installation.

Mitigation

Users of affected versions should apply the following mitigation or upgrade:

Upgrade to credhub-release v1.2.0 [1] or later

Please note: All credential access is logged in the event_audit_record table of the CredHub database and should be reviewed for anomalous events.

Credit

This vulnerability was responsibly reported by the CredHub team.

References

[1] https://github.com/pivotal-cf/credhub-release/releases

History

2017-07-31: Initial vulnerability report published

CVE-2017-8038: Credentials readable from CredHub endpoint

CVE-2017-8038: Credentials readable from CredHub endpoint

Severity

Vendor

Versions Affected

Description

Mitigation

Credit

References

History

You Might Also Like

CVE-2017-8037: Incomplete fix for Cloud Controller API access to CC VM Contents

USN-4221-1: libpcap vulnerability

USN-3392-2: Linux kernel (Xenial HWE) regression

Sign up for the Cloud Foundry Newsletter today!

Sign up for the
Cloud Foundry Newsletter today!