PT-2021-14857 · Unknown · Cloud Controller Api

Published

2021-04-08

Updated

2021-04-14

CVE-2021-22115

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Cloud Controller API versions prior to 1.106.0

Description The issue concerns the logging of service broker credentials in plain text. Specifically, when the default value of the db logging config field is changed, the Cloud Controller API logs service broker credentials. Additionally, the CAPI database logs the service broker password in plain text whenever a job to clean up orphaned items is run by the Cloud Controller.

Recommendations For Cloud Controller API versions prior to 1.106.0, update to version 1.106.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the CAPI database logs to minimize the risk of exploitation. Avoid changing the default value of the db logging config field until the issue is resolved.

Fix

Insufficiently Protected Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-522

Related Identifiers

CVE-2021-22115

Affected Products

Cloud Controller Api

PT-2021-14857 · Unknown · Cloud Controller Api

CVE-2021-22115

Weakness Enumeration

Related Identifiers

Affected Products

References · 3