CVE-2019-11271: Bosh Deployment logs leak sensitive information
Pivotal Cloud Foundry
Pivotal Ops Manager , 2.3.x versions prior to 2.3.20, 2.3.x versions prior to 2.4.13, and 2.5.x versions prior to 2.5.6 contain a BOSH Director that does not properly redact credentials when configured to use a MySQL database. A local authenticated malicious user may read any credentials that are contained in a BOSH manifest.
Affected VMware Products and Versions
Severity is medium unless otherwise noted.
- Pivotal Ops Manager 2.3.x versions prior to 2.3.20
- Pivotal Ops Manager 2.4.x versions prior to 2.4.13
- Pivotal Ops Manager 2.5.x versions prior to 2.5.6
Users of affected versions should apply the following mitigation:
- Releases that have fixed this issue include:
- Pivotal Ops Manager 2.3.20
- Pivotal Ops Manager 2.4.13
- Pivotal Ops Manager 2.5.6
2019-06-28: Initial vulnerability report published