CVE-2018-15797

Name of the Vulnerable Software and Affected Versions Cloud Foundry NFS volume release versions 1.2.x through 1.2.5 Cloud Foundry NFS volume release versions 1.5.x through 1.5.4 Cloud Foundry NFS volume release versions 1.7.x through 1.7.3

Description The issue allows a remote authenticated user with access to BOSH to obtain the admin credentials for the Cloud Foundry Platform. This is possible because the nfsbrokerpush BOSH deploy errand logs the cf admin username and password.

Recommendations For versions 1.2.x through 1.2.5, update to version 1.2.5 or later to resolve the issue. For versions 1.5.x through 1.5.4, update to version 1.5.4 or later to resolve the issue. For versions 1.7.x through 1.7.3, update to version 1.7.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the BOSH logs to minimize the risk of exploitation.