high
7.8
CWE
200 522
Advisory Published
Updated

CVE-2019-3800: CF CLI writes the client id and secret to config file

First published: Thu Jul 18 2019(Updated: )

CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials.

Credit: security_alert@emc.com

Affected SoftwareAffected VersionHow to fix
Cloud Foundry Command Line Interface<6.45.0
Pivotal Cloud Foundry Command Line Interface<1.16.0
Pivotal Cloud Foundry<10.0.0
Pivotal Cloud Foundry<9.3.0
Pivotal Cloud Foundry Log Cache<2.3.1
Cloud Foundry Cf-networking<2.23.0
Pivotal Cloud Foundry Notifications<58
Pivotal Cloud Foundry<0.189.0
Pivotal Cloud Foundry<40.0.113
VMware Tanzu Application Service>=2.3.0<2.3.14
VMware Tanzu Application Service>=2.4.0<2.4.10
VMware Tanzu Application Service>=2.5.0<2.5.6
Pivotal Cloud Foundry Autoscaling Release<219
Pivotal Cloud Foundry Event Alerts<1.2.8
Pivotal Cloud Foundry Healthwatch>=1.4.0<1.4.7
Pivotal Cloud Foundry Healthwatch>=1.5.0<1.5.4
Pivotal Software CredHub Service Broker<1.3.2
Pivotal Metric Registrar<1.2
Pivotal On-Demand Service Broker<0.29.0
Pivotal Cloud Foundry Service Broker for AWS<1.4.13
VMware Tanzu Pivotal Single Sign-On>=1.7.0<1.7.5
VMware Tanzu Pivotal Single Sign-On>=1.8.0<1.8.4
VMware Tanzu Pivotal Single Sign-On>=1.9.0<1.9.1
anynines Elasticsearch for Pivotal Cloud Foundry<2.1.2
Pivotal Cloud Foundry<2.1.2
anynines MongoDB for Pivotal Cloud Foundry<2.1.2
AnyNines MySQL for Pivotal Cloud Foundry<2.1.2
anynines PostgreSQL for Pivotal Cloud Foundry<2.1.2
anynines RabbitMQ for Pivotal Cloud Foundry<2.1.2
anynines Redis for Pivotal Cloud Foundry<2.1.2
Apigee Edge Service Broker for Pivotal Cloud Foundry<3.1.3
AppDynamics Application Analytics for Pivotal Cloud Foundry<4.7.652
AppDynamics Application Performance Monitoring for Pivotal Cloud Foundry<4.6.64
AppDynamics Platform Monitoring for Pivotal Cloud Foundry<4.7.712
Blue Medora Nozzle for Pivotal Cloud Foundry<3.1.1
Contrast Security Service Broker for Pivotal Cloud Foundry<2.2.0
CyberArk Conjur Service Broker for Pivotal Cloud Foundry<1.1.1
Datadog Application Monitoring for Pivotal Cloud Foundry<1.7.0
DataStax Enterprise Service Broker for Pivotal Cloud Foundry<1.0.2
Dynatrace Service Broker for Pivotal Cloud Foundry<1.4.2
ForgeRock Service Broker for Pivotal Cloud Foundry<2.1.2
Google Cloud Platform Service Broker for Pivotal Cloud Foundry<4.2.3
Pivotal Cloud Foundry<3.11.0
Microsoft Azure Log Analytics Nozzle for Pivotal Cloud Foundry<1.4.1
Microsoft Azure Service Broker for Pivotal Cloud Foundry<1.4.1
New Relic .NET Extension Buildpack<1.1.1
New Relic Nozzle for Pivotal Cloud Foundry<1.1.17
New Relic Service Broker for Pivotal Cloud Foundry<1.12.64
PagerDuty Service Broker for Pivotal Cloud Foundry<1.2.4
Riverbed SteelCentral AppInternals<10.21.1-bl516
Pivotal Cloud Foundry SMB Volume<1.1.1
Signal Sciences Service Broker for Pivotal Cloud Foundry<1.1.0
Snyk Service Broker for Pivotal Cloud Foundry<1.0.3
Pivotal Cloud Foundry<2.3.2
Splunk Nozzle for Pivotal Cloud Foundry<1.1.1
Sumo Logic Nozzle for Pivotal Cloud Foundry<1.0.1
Synopsys Seeker IAST Service Broker for Pivotal Cloud Foundry<1.2.14
TIBCO BusinessWorks Buildpack for Pivotal Cloud Foundry<2.4.4
Wavefront by VMware<1.0.2
Pivotal Cloud Foundry<1.1.8

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2019-3800?

    CVE-2019-3800 is considered a medium severity vulnerability due to potential unauthorized access to sensitive client credentials.

  • How do I fix CVE-2019-3800?

    To mitigate CVE-2019-3800, upgrade to CF CLI version 6.45.0 or later.

  • Who is affected by CVE-2019-3800?

    CVE-2019-3800 affects users of CF CLI versions prior to 6.45.0 who authenticate using the --client-credentials flag.

  • What impact does CVE-2019-3800 have?

    CVE-2019-3800 allows a local authenticated user to access sensitive client credentials stored in the CF CLI config file.

  • Is there a workaround for CVE-2019-3800?

    As a workaround, users can manually remove sensitive credentials from the CF CLI config file until an upgrade can be performed.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203