All Vulnerability Reports

CVE-2019-11271: Bosh Deployment logs leak sensitive information




Pivotal Cloud Foundry


Pivotal Ops Manager , 2.3.x versions prior to 2.3.20, 2.3.x versions prior to 2.4.13, and 2.5.x versions prior to 2.5.6 contain a BOSH Director that does not properly redact credentials when configured to use a MySQL database. A local authenticated malicious user may read any credentials that are contained in a BOSH manifest.

Affected VMware Products and Versions

Severity is medium unless otherwise noted.

  • Pivotal Ops Manager 2.3.x versions prior to 2.3.20
  • Pivotal Ops Manager 2.4.x versions prior to 2.4.13
  • Pivotal Ops Manager 2.5.x versions prior to 2.5.6


Users of affected versions should apply the following mitigation:

  • Releases that have fixed this issue include:
    • Pivotal Ops Manager 2.3.20
    • Pivotal Ops Manager 2.4.13
    • Pivotal Ops Manager 2.5.6



2019-06-28: Initial vulnerability report published