PT-2020-18473 · Bosh · Bosh System Metrics Server

Published

2020-10-02

Updated

2020-10-14

CVE-2020-5422

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions BOSH System Metrics Server versions prior to 0.1.0

Description The issue exposes the UAA password as a flag to a process running on the BOSH director, making it accessible to any user or process with access to the same VM. This can be done through commands like ps or by looking at process details.

Recommendations For versions prior to 0.1.0, update to version 0.1.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the BOSH director VM to minimize the risk of password exposure.

Fix

Exposure of Resource to Wrong Sphere

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-214CWE-668

Related Identifiers

CVE-2020-5422

Affected Products

Bosh System Metrics Server

PT-2020-18473 · Bosh · Bosh System Metrics Server

CVE-2020-5422

Weakness Enumeration

Related Identifiers

Affected Products

References · 4