PT-2026-43566 · Cloud Foundry Foundation+2 · Bosh Director+1
Published
2026-05-27
·
Updated
2026-06-08
·
CVE-2026-41009
CVSS v3.1
5.8
Medium
| Vector | AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
BOSH Director versions prior to v282.1.12
Description
When the director sends a long-running request, such as
compile package, the agent's reply JSON is processed by AgentClient. The functions inject compile log() and format exception() read the compile log id and blobstore id from the response and pass these agent-supplied strings unmodified to download and delete blob(blob id). This function subsequently calls @resource manager.get resource(blob id) and @resource manager.delete resource(blob id), which forward the ID to blobstore.get(id) and blobstore.delete(id). If the director uses the local blobstore provider, Blobstore::LocalClient#object file path(oid) uses File.join(@blobstore path, oid) without normalization. This allows an attacker to use a path like ../../jobs/director/config/director.yml to resolve files outside the blobstore root.Recommendations
Update BOSH Director to version v282.1.12 or later.
Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Bosh Director
Bosh