Cloud Foundry Logo
blog single gear
Security Advisory

CVE-2017-8038: Credentials readable from CredHub endpoint

CVE-2017-8038: Credentials readable from CredHub endpoint

Severity

High

Vendor

Cloud Foundry Foundation

Versions Affected

  • Credhub-release version 1.1.0 only

Description

CredHub access control lists (ACLs) enforce whether an authenticated user can perform an operation on a credential. For installations using ACLs, the ACL was bypassed for the CredHub interpolate endpoint, allowing authenticated applications to view any credential within the CredHub installation.

Mitigation

Users of affected versions should apply the following mitigation or upgrade:

  • Upgrade to credhub-release v1.2.0 [1] or later

Please note: All credential access is logged in the event_audit_record table of the CredHub database and should be reviewed for anomalous events.

Credit

This vulnerability was responsibly reported by the CredHub team.

References

History

2017-07-31: Initial vulnerability report published

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES