CVE-2019-3800 - 漏洞详情

CVE-2019-3800 (CNNVD-201907-1355)

MEDIUM

中文标题:

Cloud Foundry CLI 信息泄露漏洞

英文标题:

CF CLI writes the client id and secret to config file

CVSS分数: 6.3

发布时间: 2019-08-05 16:38:20

漏洞类型: 信息泄露

状态: PUBLISHED

数据质量分数: 0.30

数据版本: v3

漏洞描述

中文描述:

Cloud Foundry CLI是美国Cloud Foundry基金会的一款用于Cloud Foundry的命令行客户端程序。 Cloud Foundry CLI中存在信息泄露漏洞。本地攻击者可利用该漏洞获取敏感信息，执行操作。以下产品及版本受到影响：Cloud Foundry CF CLI 6.45.0之前版本；CF CLI Release 1.16.0之前版本；CF Networking Release 2.23.0之前版本；CF Routing Release 0.189.0之前版本；CF Smoke Tests 40.0.113之前版本；CF Deployment 10.0.0之前版本；CF Deployment Concourse Tasks 9.3.0之前版本；CF Log Cache Release 2.3.1之前版本；CF Notifications 58之前版本。

英文描述:

CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials.

CWE类型:

CWE-522 CWE-200

受影响产品

厂商	产品	版本	版本范围	平台	CPE
Cloud Foundry	CF CLI Release	v1.x before v1.16.0	-	-	`cpe:2.3:a:cloud_foundry:cf_cli_release:v1.x_before_v1.16.0:::::::*`
Cloud Foundry	CF CLI	versions prior to v6.45.0	-	-	`cpe:2.3:a:cloud_foundry:cf_cli:versions_prior_to_v6.45.0:::::::*`
pivotal	cloud_foundry_command_line_interface	*	-	-	`cpe:2.3:a:pivotal:cloud_foundry_command_line_interface::::::::`
pivotal	cloud_foundry_command_line_interface_release	*	-	-	`cpe:2.3:a:pivotal:cloud_foundry_command_line_interface_release::::::::`
pivotal	cloud_foundry_deployment	*	-	-	`cpe:2.3:a:pivotal:cloud_foundry_deployment::::::::`
pivotal	cloud_foundry_deployment_concourse_tasks	*	-	-	`cpe:2.3:a:pivotal:cloud_foundry_deployment_concourse_tasks::::::::`
pivotal	cloud_foundry_log_cache_release	*	-	-	`cpe:2.3:a:pivotal:cloud_foundry_log_cache_release::::::::`
pivotal	cloud_foundry_networking_release	*	-	-	`cpe:2.3:a:pivotal:cloud_foundry_networking_release::::::::`
pivotal	cloud_foundry_notifications	*	-	-	`cpe:2.3:a:pivotal:cloud_foundry_notifications::::::::`
pivotal	cloud_foundry_routing_release	*	-	-	`cpe:2.3:a:pivotal:cloud_foundry_routing_release::::::::`
pivotal	cloud_foundry_smoke_test	*	-	-	`cpe:2.3:a:pivotal:cloud_foundry_smoke_test::::::::`
pivotal	application_service	*	-	-	`cpe:2.3:a:pivotal:application_service::::::::`
pivotal	cloud_foundry_autoscaling_release	*	-	-	`cpe:2.3:a:pivotal:cloud_foundry_autoscaling_release::::::::`
pivotal	cloud_foundry_event_alerts	*	-	-	`cpe:2.3:a:pivotal:cloud_foundry_event_alerts::::::::`
pivotal	cloud_foundry_healthwatch	*	-	-	`cpe:2.3:a:pivotal:cloud_foundry_healthwatch::::::::`
pivotal	credhub_service_broker_for_pcf	*	-	-	`cpe:2.3:a:pivotal:credhub_service_broker_for_pcf::::::::`
pivotal	metric_registrar_release	*	-	-	`cpe:2.3:a:pivotal:metric_registrar_release::::::::`
pivotal	on_demand_service_broker	*	-	-	`cpe:2.3:a:pivotal:on_demand_service_broker::::::::`
pivotal	pivotal_cloud_foundry_service_broker	*	-	-	`cpe:2.3:a:pivotal:pivotal_cloud_foundry_service_broker::::::aws::*`
pivotal	single_sign-on	*	-	-	`cpe:2.3:a:pivotal:single_sign-on::::::cloud_foundry::*`
anynines	elasticsearch	*	-	-	`cpe:2.3:a:anynines:elasticsearch::::::pivotal_cloud_foundry::*`
anynines	logme	*	-	-	`cpe:2.3:a:anynines:logme::::::pivotal_cloud_foundry::*`
anynines	mongodb	*	-	-	`cpe:2.3:a:anynines:mongodb::::::pivotal_cloud_foundry::*`
anynines	mysql	*	-	-	`cpe:2.3:a:anynines:mysql::::::pivotal_cloud_foundry::*`
anynines	postgresql	*	-	-	`cpe:2.3:a:anynines:postgresql::::::pivotal_cloud_foundry::*`
anynines	rabbitmq	*	-	-	`cpe:2.3:a:anynines:rabbitmq::::::pivotal_cloud_foundry::*`
anynines	redis	*	-	-	`cpe:2.3:a:anynines:redis::::::pivotal_cloud_foundry::*`
apigee	edge_service_broker	*	-	-	`cpe:2.3:a:apigee:edge_service_broker::::::pivotal_cloud_foundry::*`
appdynamics	application_analytics	*	-	-	`cpe:2.3:a:appdynamics:application_analytics::::::pivotal_cloud_foundry::*`
appdynamics	application_performance_monitoring	*	-	-	`cpe:2.3:a:appdynamics:application_performance_monitoring::::::pivotal_cloud_foundry::*`
appdynamics	platform_montioring	*	-	-	`cpe:2.3:a:appdynamics:platform_montioring::::::pivotal_cloud_foundry::*`
bluemedora	nozzle	*	-	-	`cpe:2.3:a:bluemedora:nozzle::::::pivotal_cloud_foundry::*`
contrastsecurity	service_broker	*	-	-	`cpe:2.3:a:contrastsecurity:service_broker::::::pivotal_cloud_foundry::*`
cyberark	conjur_service_broker	*	-	-	`cpe:2.3:a:cyberark:conjur_service_broker::::::pivotal_cloud_foundry::*`
datadoghq	application_monitoring	*	-	-	`cpe:2.3:a:datadoghq:application_monitoring::::::pivotal_cloud_foundry::*`
datastax	enterprise_service_broker	*	-	-	`cpe:2.3:a:datastax:enterprise_service_broker::::::pivotal_cloud_foundry::*`
dynatrace	service_broker	*	-	-	`cpe:2.3:a:dynatrace:service_broker::::::pivotal_cloud_foundry::*`
forgerock	service_broker	*	-	-	`cpe:2.3:a:forgerock:service_broker::::::pivotal_cloud_foundry::*`
google	google_cloud_platform_service_broker	*	-	-	`cpe:2.3:a:google:google_cloud_platform_service_broker::::::pivotal_cloud_foundry::*`
ibm	websphere_liberty_	*	-	-	`cpe:2.3:a:ibm:websphere_liberty_::::::pivotal_cloud_foundry::*`
microsoft	azure_log_analytics_nozzle	*	-	-	`cpe:2.3:a:microsoft:azure_log_analytics_nozzle::::::pivotal_cloud_foundry::*`
microsoft	azure_service_broker	*	-	-	`cpe:2.3:a:microsoft:azure_service_broker::::::pivotal_cloud_foundry::*`
newrelic	dotnet_extension_buildpack	*	-	-	`cpe:2.3:a:newrelic:dotnet_extension_buildpack::::::pivotal_cloud_foundry::*`
newrelic	nozzle	*	-	-	`cpe:2.3:a:newrelic:nozzle::::::pivotal_cloud_foundry::*`
newrelic	service_broker	*	-	-	`cpe:2.3:a:newrelic:service_broker::::::pivotal_cloud_foundry::*`
pagerduty	service_broker	*	-	-	`cpe:2.3:a:pagerduty:service_broker::::::pivotal_cloud_foundry::*`
riverbed	steelcentral_appinternals	*	-	-	`cpe:2.3:a:riverbed:steelcentral_appinternals::::::pivotal_cloud_foundry::*`
samba	volume_service	*	-	-	`cpe:2.3:a:samba:volume_service::::::pivotal_cloud_foundry::*`
signalsciences	service_broker	*	-	-	`cpe:2.3:a:signalsciences:service_broker::::::pivotal_cloud_foundry::*`
snyk	service_broker	*	-	-	`cpe:2.3:a:snyk:service_broker::::::pivotal_cloud_foundry::*`
solace	pubsub\+	*	-	-	`cpe:2.3:a:solace:pubsub\+::::::pivotal_cloud_foundry::*`
splunk	nozzle	*	-	-	`cpe:2.3:a:splunk:nozzle::::::pivotal_cloud_foundry::*`
sumologic	nozzle	*	-	-	`cpe:2.3:a:sumologic:nozzle::::::pivotal_cloud_foundry::*`
synopsys	seeker_iast_service_broker	*	-	-	`cpe:2.3:a:synopsys:seeker_iast_service_broker::::::pivotal_cloud_foundry::*`
tibco	businessworks_buildpack	*	-	-	`cpe:2.3:a:tibco:businessworks_buildpack:::::container:pivotal_cloud_foundry::`
wavefront	wavefront_by_vmware_nozzle	*	-	-	`cpe:2.3:a:wavefront:wavefront_by_vmware_nozzle::::::pivotal_cloud_foundry::*`
yugabyte	db_enterprise	*	-	-	`cpe:2.3:a:yugabyte:db_enterprise::::::pivotal_cloud_foundry::*`

解决方案

中文解决方案:

（暂无数据）

英文解决方案:

（暂无数据）

临时解决方案:

（暂无数据）

参考链接

无标题 x_refsource_CONFIRM
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

CVSS评分详情

3.0 (cna)

MEDIUM

6.3

CVSS向量: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

机密性

LOW

完整性

LOW

可用性

LOW

时间信息

发布时间:

2019-08-05 16:38:20

修改时间:

2024-09-17 04:29:08

创建时间:

2025-11-11 15:35:46

更新时间:

2025-11-11 15:54:38

利用信息

暂无可利用代码信息

数据源详情

数据源	记录ID	版本	提取时间
CVE	`cve_CVE-2019-3800`	2025-11-11 15:20:11	2025-11-11 07:35:46
NVD	`nvd_CVE-2019-3800`	2025-11-11 14:56:25	2025-11-11 07:44:15
CNNVD	`cnnvd_CNNVD-201907-1355`	2025-11-11 15:10:14	2025-11-11 07:54:38

版本与语言

当前版本: v3

主要语言: EN

支持语言:

EN ZH

安全公告

暂无安全公告信息

变更历史

v3 CNNVD

2025-11-11 15:54:38

vulnerability_type: 未提取 → 信息泄露; cnnvd_id: 未提取 → CNNVD-201907-1355; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']

查看详细变更

vulnerability_type: 未提取 -> 信息泄露
cnnvd_id: 未提取 -> CNNVD-201907-1355
data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']

v2 NVD

2025-11-11 15:44:15

affected_products_count: 2 → 57; data_sources: ['cve'] → ['cve', 'nvd']

查看详细变更

affected_products_count: 2 -> 57
data_sources: ['cve'] -> ['cve', 'nvd']

CVE-2019-3800 (CNNVD-201907-1355)

中文标题:

Cloud Foundry CLI 信息泄露漏洞

英文标题:

CF CLI writes the client id and secret to config file

漏洞描述

中文描述:

英文描述:

CWE类型:

标签:

受影响产品

解决方案

中文解决方案:

英文解决方案:

临时解决方案:

参考链接

CVSS评分详情

3.0 (cna)

时间信息

利用信息

数据源详情

版本与语言

安全公告

变更历史