Skip to main content

BOSH Director EUVDEUVD-2026-32098

| CVE-2026-41009 MEDIUM
Path Traversal (CWE-22)
2026-05-27 security@vmware.com GHSA-gq7j-4834-ccgp
4.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 27, 2026 - 22:19 vuln.today
Patch available
May 27, 2026 - 19:46 EUVD

DescriptionCVE.org

When the director sends a long-running request (e.g. compile_package), the agent's reply JSON is consumed by AgentClient. inject_compile_log (line 332-339) reads response['value']['result']['compile_log_id'] and format_exception (line 318-325) reads exception['blobstore_id']; both pass the agent-supplied string unmodified to download_and_delete_blob(blob_id) (line 344-349), which calls @resource_manager.get_resource(blob_id) and, in an ensure block, @resource_manager.delete_resource(blob_id). Api::ResourceManager forwards the id straight to blobstore.get(id) / blobstore.delete(id). When the director is configured with the local blobstore provider, Blobstore::LocalClient#object_file_path(oid) is File.join(@blobstore_path, oid) (local_client.rb:54-56) with no normalisation, so oid = "../../jobs/director/config/director.yml" resolves outside the blobstore root.

Affected versions: BOSH Director: All versions prior to v282.1.12

AnalysisAI

Path traversal in BOSH Director allows a compromised BOSH agent to cause the Director to read and delete arbitrary files outside the blobstore root on the Director host filesystem. When the Director processes long-running operations such as compile_package and is configured with the local blobstore provider, agent-supplied blob IDs in the reply JSON are passed unmodified into filesystem path construction, enabling traversal strings like '../../jobs/director/config/director.yml' to resolve to sensitive files. No public exploit exists and no active exploitation has been identified; the CVSS 4.0 score of 4.3 reflects the significant prerequisite barriers including high privilege requirements and a specific non-default configuration.

Technical ContextAI

BOSH is the Cloud Foundry infrastructure deployment tool; the Director orchestrates agents running on managed VMs. For long-running tasks, AgentClient reads the agent's JSON reply and processes blob identifiers via two code paths: inject_compile_log (local_client.rb lines 332-339) reading response['value']['result']['compile_log_id'], and format_exception (lines 318-325) reading exception['blobstore_id']. Both paths call download_and_delete_blob (lines 344-349), which invokes Api::ResourceManager to call blobstore.get(id) followed by blobstore.delete(id) in an ensure block - meaning both operations always execute regardless of success. When the local blobstore provider is active, Blobstore::LocalClient#object_file_path constructs paths with File.join(@blobstore_path, oid) (local_client.rb:54-56) without any normalization, canonicalization, or prefix validation. CWE-22 (Path Traversal) is the root cause: user-controlled input is concatenated directly into a trusted filesystem base path, allowing '../' sequences to escape the blobstore directory. The vulnerability is exclusive to deployments using the local blobstore provider; cloud blobstore backends (S3, Azure Blob, GCS) are unaffected because their object IDs are not resolved as filesystem paths.

RemediationAI

The primary fix is to upgrade BOSH Director to v282.1.12 or later; this is a vendor-released patch confirmed by the Cloud Foundry advisory at https://www.cloudfoundry.org/blog/cve-2026-41009-local-blobstore-may-allow-arbitrary-reads-deletes/. If an immediate upgrade is not feasible, a highly effective compensating control is to migrate from the local blobstore provider to a remote blobstore backend (S3, Azure Blob, GCS), as the path traversal is specific to Blobstore::LocalClient's filesystem path construction and does not apply to object-store backends - note that this migration requires Director reconfiguration and a blobstore migration procedure which may involve downtime. A secondary defensive measure is to restrict which agent VMs can be registered with the Director and to harden agent VM access to reduce the prerequisite of agent compromise; however, this does not eliminate the underlying code vulnerability and is not a substitute for patching. Filesystem-level controls such as running the Director process under a user with restricted read/write scope outside the blobstore directory can reduce blast radius but cannot fully prevent traversal if the Director process requires access to configuration files in adjacent directories.

Share

EUVD-2026-32098 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy