Severity

CVSS Score: High 7.1
CVSSv4: High 7.1 (CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:H/SA:H)
CVSSv3: High 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Vendor

Cloudfoundry Foundation / BOSH

Versions Affected

*Severity is High unless otherwise noted.

BOSH

– All versions prior to v282.1.9

Description

A network man-in-the-middle between nats-sync and the BOSH director can steal the director credentials (Basic auth header or UAA client secret) and can tamper with the VM list that is written into the NATS authorization file. Stolen credentials grant administrative director access.

UsersSync#bosh_api_response_body builds a Net::HTTP client with verify_mode = OpenSSL::SSL::VERIFY_NONE for every director call (/info, /deployments, /deployments/<name>/vms). The unauthenticated /info response feeds NATSSync::AuthProvider (auth_provider.rb:15-28), which sends the UAA client_secret to whatever URL /info returned.

Authenticated calls then carry the resulting Authorization header over the same unverified channel. The director response also drives write_nats_config_file, so a MITM can influence which subjects appear in NATS authz.

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below.

The Cloudfoundry Foundation project recommends upgrading the following releases:

BOSH

– Upgrade BOSH versions to v282.1.9 or greater

Credit

n/a

History

June 1st 2026: Initial vulnerability report published