CVE-2020-5400: Cloud Controller logs environment variables from app manifests
First published: Mon Feb 24 2020(Updated: )
Cloud Foundry Cloud Controller (CAPI), versions prior to 1.91.0, logs properties of background jobs when they are run, which may include sensitive information such as credentials if provided to the job. A malicious user with access to those logs may gain unauthorized access to resources protected by such credentials.
Credit: security@pivotal.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cloudfoundry Capi-release | <1.91.0 | |
| Cloudfoundry Cf-deployment | <12.33.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-5400?
CVE-2020-5400 is a vulnerability in Cloud Foundry Cloud Controller (CAPI) versions prior to 1.91.0.
How does CVE-2020-5400 affect Cloud Foundry?
CVE-2020-5400 allows a malicious user with access to job logs to potentially gain unauthorized access to protected resources in Cloud Foundry.
What software versions are affected by CVE-2020-5400?
Cloud Foundry Cloud Controller (CAPI) versions prior to 1.91.0 and cf-deployment versions prior to 12.33.0 are affected by CVE-2020-5400.
What is the severity of CVE-2020-5400?
The severity of CVE-2020-5400 is high with a CVSS score of 6.5.
How can I fix CVE-2020-5400?
To fix CVE-2020-5400, it is recommended to upgrade to Cloud Foundry Cloud Controller (CAPI) version 1.91.0 or later.
- collector/nvd-index
- agent/weakness
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/references
- agent/author
- agent/title
- agent/tags
- agent/event
- agent/first-publish-date
- agent/description
- vendor/cloudfoundry
- canonical/cloudfoundry capi-release
- canonical/cloudfoundry cf-deployment