Vulnerability Name:

CVE-2019-3781 (CCN-158327)

Assigned:2019-02-25
Published:2019-02-25
Updated:2020-10-19
Summary:Cloud Foundry CLI, versions prior to v6.43.0, improperly exposes passwords when verbose/trace/debugging is turned on. A local unauthenticated or remote authenticated malicious user with access to logs may gain part or all of a users password.
CVSS v3 Severity:8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
7.7 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-200
CWE-215
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2019-3781

Source: BID
Type: Third Party Advisory, VDB Entry
107365

Source: XF
Type: UNKNOWN
cloudfoundry-cve20193781-info-disc(158327)

Source: CCN
Type: Cloud Foundry Web site
Cloud Foundry

Source: CONFIRM
Type: Vendor Advisory
https://www.cloudfoundry.org/blog/cve-2019-3781

Source: CCN
Type: Cloud Foundry Blog, February 25, 2019
CVE-2019-3781: CF CLI does not sanitize user’s password in verbose/trace/debug

Vulnerable Configuration:Configuration 1:
  • cpe:/a:cloudfoundry:command_line_interface:*:*:*:*:*:*:*:* (Version < 6.43.0)

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20193781
    V
    		CVE-2019-3781
    2022-05-22
    oval:org.opensuse.security:def:49456
    P
    		Security update for php72 (Moderate)
    2021-11-19
    oval:org.opensuse.security:def:68372
    P
    		Security update for the Linux Kernel (Live Patch 1 for SLE 15 SP3) (Important)
    2021-11-19
    oval:org.opensuse.security:def:49455
    P
    		Security update for php74 (Moderate)
    2021-11-18
    oval:org.opensuse.security:def:1904
    P
    		bouncycastle-1.64-1.63 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:1946
    P
    		perl-Net-Libproxy-0.4.15-12.72 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:1945
    P
    		perl-Mail-SpamAssassin-Plugin-iXhash2-2.05-12.10.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:71828
    P
    		glibc-locale-32bit-2.26-13.8.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:1913
    P
    		cups-ddk-2.2.7-3.26.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:1900
    P
    		apache-commons-compress-1.19-1.63 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:1915
    P
    		dom4j-1.6.1-10.12 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:1905
    P
    		bsdtar-3.4.2-2.24 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:1947
    P
    		perl-PerlMagick-7.0.7.34-10.15.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:1921
    P
    		go1.16-1.16.3-1.11.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:1914
    P
    		cvs-1.12.12-2.30 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:1934
    P
    		libtidy-devel-5.4.0-3.2.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:1916
    P
    		dpkg-1.19.0.4-2.30 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:1939
    P
    		openldap2-devel-32bit-2.4.46-9.51.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:1922
    P
    		gradle-4.4.1-1.87 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:1944
    P
    		perl-DNS-LDNS-1.7.0-4.3.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:1935
    P
    		log4j12-javadoc-1.2.17-2.26 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:1899
    P
    		ant-1.10.7-4.3.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:1940
    P
    		osc-0.172.0-3.26.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:48892
    P
    		argyllcms-1.6.3-3.3 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48411
    P
    		emacs-24.3-16.32 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48427
    P
    		git-core-1.8.5.6-18.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48552
    P
    		libsqlite3-0-3.8.10.2-3.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48412
    P
    		eog-3.20.4-7.7 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48750
    P
    		libvirt-client-32bit-1.2.18.1-4.22 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48428
    P
    		glib2-lang-2.48.2-10.2 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48891
    P
    		NetworkManager-1.0.12-13.6.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48553
    P
    		libsrtp1-1.5.2-2.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48751
    P
    		libwmf-0_2-7-0.2.8.4-242.3 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48410
    P
    		elfutils-0.158-6.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:49139
    P
    		Security update for slurm_20_02 (Important)
    2020-12-21
    oval:org.opensuse.security:def:1896
    P
    		xorg-x11-server-sdk-1.20.3-20.11 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:48986
    P
    		gcc48-gij-32bit-4.8.5-31.20.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:71712
    P
    		rpcbind-0.2.3-5.9.2 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:1893
    P
    		python3-tools-3.6.10-3.53.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:1894
    P
    		rpm-build-4.14.1-20.3 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:1895
    P
    		subversion-bash-completion-1.10.6-3.6.2 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:48985
    P
    		freerdp-2.0.0~git.1463131968.4e66df7-12.8.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:2594
    P
    		Security update for cf-cli (Moderate)
    2020-12-02
    oval:org.opensuse.security:def:2584
    P
    		Security update for postgresql10 (Important)
    2020-12-02
    oval:org.opensuse.security:def:2595
    P
    		Security update for cf-cli (Moderate)
    2020-12-02
    oval:org.opensuse.security:def:2585
    P
    		Security update for c-ares (Moderate)
    2020-12-02
    oval:org.opensuse.security:def:50967
    P
    		Security update for libxml2 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49366
    P
    		yast2-users on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49588
    P
    		open-vm-tools-desktop on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49140
    P
    		libXcursor-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:51030
    P
    		Security update for cf-cli (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50968
    P
    		Security update for shim (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49522
    P
    		gstreamer-plugins-bad on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49367
    P
    		yubikey-manager on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49618
    P
    		eog on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:65128
    P
    		Security update for cf-cli (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:65038
    P
    		Security update for tiff (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49691
    P
    		libraptor-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49523
    P
    		gtk2-data on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49619
    P
    		evince on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:68475
    P
    		Security update for cf-cli (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49692
    P
    		librsvg-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49587
    P
    		newt-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:51029
    P
    		Security update for cf-cli (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:104130
    P
    		Security update for cf-cli (Moderate)
    2019-07-02
    oval:org.opensuse.security:def:90475
    P
    		Security update for cf-cli (Moderate)
    2019-07-02
    oval:org.opensuse.security:def:97440
    P
    		Security update for cf-cli (Moderate)
    2019-07-02
    BACK
    cloudfoundry command line interface *