CVE-2016-6658
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Applications in cf-release before 245 can be configured and pushed with a user-provided custom buildpack using a URL pointing to the buildpack. Although it is not recommended, a user can specify a credential in the URL (basic auth or OAuth) to access the buildpack through the CLI. For example, the user could include a GitHub username and password in the URL to access a private repo. Because the URL to access the buildpack is stored unencrypted, an operator with privileged access to the Cloud Controller database could view these credentials.
Applications en cf-release, en versiones anteriores a la 245, puede configurarse e insertarse con un buildpack personalizado proporcionado por el usuario mediante una URL que señale al buildpack. Aunque no se recomienda, un usuario puede especificar una credencial en la URL (basic auth o OAuth) para acceder al buildpack a través del CLI. Por ejemplo, el usuario puede incluir un nombre de usuario y contraseña de GitHub en la URL para acceder a un repositorio privado. Debido a que la URL empleada para acceder al buildpack se almacena sin cifrar, un operador con acceso privilegiado a la base de datos de Cloud Controller podría ver estas credenciales.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2016-08-10 CVE Reserved
- 2018-03-29 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (1)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://pivotal.io/security/cve-2016-6658 | 2018-04-24 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Cloudfoundry Search vendor "Cloudfoundry" | Cf-release Search vendor "Cloudfoundry" for product "Cf-release" | < 245 Search vendor "Cloudfoundry" for product "Cf-release" and version " < 245" | - |
Affected
| ||||||
Pivotal Software Search vendor "Pivotal Software" | Cloud Foundry Elastic Runtime Search vendor "Pivotal Software" for product "Cloud Foundry Elastic Runtime" | < 1.6.49 Search vendor "Pivotal Software" for product "Cloud Foundry Elastic Runtime" and version " < 1.6.49" | - |
Affected
| ||||||
Pivotal Software Search vendor "Pivotal Software" | Cloud Foundry Elastic Runtime Search vendor "Pivotal Software" for product "Cloud Foundry Elastic Runtime" | >= 1.7.0 < 1.7.31 Search vendor "Pivotal Software" for product "Cloud Foundry Elastic Runtime" and version " >= 1.7.0 < 1.7.31" | - |
Affected
| ||||||
Pivotal Software Search vendor "Pivotal Software" | Cloud Foundry Elastic Runtime Search vendor "Pivotal Software" for product "Cloud Foundry Elastic Runtime" | >= 1.8.0 < 1.8.11 Search vendor "Pivotal Software" for product "Cloud Foundry Elastic Runtime" and version " >= 1.8.0 < 1.8.11" | - |
Affected
|