All Vulnerability Reports

CVE-2019-11271: Bosh Deployment logs leak sensitive information


Severity

Medium

Vendor

Pivotal Cloud Foundry

Description

Pivotal Ops Manager , 2.3.x versions prior to 2.3.20, 2.3.x versions prior to 2.4.13, and 2.5.x versions prior to 2.5.6 contain a BOSH Director that does not properly redact credentials when configured to use a MySQL database. A local authenticated malicious user may read any credentials that are contained in a BOSH manifest.

Affected VMware Products and Versions

Severity is medium unless otherwise noted.

  • Pivotal Ops Manager 2.3.x versions prior to 2.3.20
  • Pivotal Ops Manager 2.4.x versions prior to 2.4.13
  • Pivotal Ops Manager 2.5.x versions prior to 2.5.6

Mitigation

Users of affected versions should apply the following mitigation:

  • Releases that have fixed this issue include:
    • Pivotal Ops Manager 2.3.20
    • Pivotal Ops Manager 2.4.13
    • Pivotal Ops Manager 2.5.6

References

History

2019-06-28: Initial vulnerability report published