CVE-2016-6658

Name of the Vulnerable Software and Affected Versions cf-release versions prior to 245

Description The issue allows an operator with privileged access to the Cloud Controller database to view user-provided credentials, such as basic auth or OAuth, used to access custom buildpacks. These credentials can be included in the URL to access the buildpack and are stored unencrypted. For example, a GitHub username and password used to access a private repository could be exposed.

Recommendations For versions prior to 245, consider removing or restricting access to custom buildpacks that use user-provided credentials until a fixed version is available. As a temporary workaround, avoid using credentials in the URL to access buildpacks, and instead, explore alternative authentication methods that do not involve storing sensitive information in plain text.