Skip to main content

BOSH EUVDEUVD-2026-34193

| CVE-2026-41859 HIGH
Improper Certificate Validation (CWE-295)
2026-06-04 vmware GHSA-cggw-g858-xx4w
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Patch available
Jun 04, 2026 - 04:15 EUVD
Analysis Updated
Jun 04, 2026 - 03:30 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 04, 2026 - 03:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 04, 2026 - 03:22 vuln.today
cvss_changed
CVSS changed
Jun 04, 2026 - 03:22 NVD
7.8 (HIGH) 7.1 (HIGH)
Analysis Generated
Jun 04, 2026 - 02:42 vuln.today
CVE Published
Jun 04, 2026 - 01:51 nvd
HIGH 7.8

DescriptionCVE.org

A network man-in-the-middle between nats-sync and the BOSH director can steal the director credentials (Basic auth header or UAA client secret) and can tamper with the VM list that is written into the NATS authorization file. Stolen credentials grant administrative director access. UsersSync#bosh_api_response_body builds a Net::HTTP client with verify_mode = OpenSSL::SSL::VERIFY_NONE for every director call (/info, /deployments, /deployments/<name>/vms).

Affected versions:

  • BOSH: all versions prior to v282.1.9 (inclusive); fixed in v282.1.9 or later

AnalysisAI

Credential theft and authorization tampering in Cloud Foundry BOSH (versions prior to v282.1.9) stems from the nats-sync component disabling TLS certificate validation when contacting the BOSH director. An attacker positioned on the network between nats-sync and the director can intercept Basic auth headers or UAA client secrets and modify the VM list written into the NATS authorization file, ultimately gaining administrative director access. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

BOSH is the Cloud Foundry release-engineering and VM lifecycle tool that orchestrates deployments via a director API and uses NATS for messaging between the director and managed VMs. The nats-sync component periodically polls the director's /info, /deployments, and /deployments/<name>/vms endpoints to rebuild the NATS authorization file that gates which VMs may publish/subscribe on which subjects. The root cause is CWE-295 (Improper Certificate Validation): UsersSync#bosh_api_response_body constructs a Net::HTTP client with verify_mode = OpenSSL::SSL::VERIFY_NONE, so the TLS handshake completes against any certificate - including one presented by a man-in-the-middle - leaking the credentials carried in the request and accepting forged response bodies.

RemediationAI

Vendor-released patch: BOSH v282.1.9 - upgrade to v282.1.9 or later, which restores proper TLS certificate validation in the nats-sync director client, per the Cloud Foundry advisory at https://www.cloudfoundry.org/blog/cve-2026-41859-missing-tls-in-nats-sync/. If immediate upgrade is not possible, restrict the network path between nats-sync and the BOSH director to a trusted, isolated segment so that no attacker can interpose on the TCP flow (for example by collocating components, using a private management VLAN, or enforcing IPsec/WireGuard between the hosts); the trade-off is operational complexity and potential loss of flexibility in distributed deployments. Additionally, consider rotating any BOSH director Basic auth credentials and UAA client secrets used by nats-sync after patching, in case they were exposed to an on-path observer prior to the fix.

CVE-2014-0160 HIGH POC
7.5 Apr 07

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packe

CVE-2014-0195 MEDIUM POC
6.8 Jun 05

The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2016-0800 MEDIUM POC
5.9 Mar 01

The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to se

CVE-2015-0204 MEDIUM POC
4.3 Jan 09

The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k

CVE-2014-3566 LOW POC
3.4 Oct 15

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which mak

CVE-2016-2107 MEDIUM POC
5.9 May 05

The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a

CVE-2015-1793 MEDIUM POC
6.5 Jul 09

The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly

CVE-2022-3602 HIGH
7.5 Nov 01

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Rated hig

CVE-2014-3470 MEDIUM
4.3 Jun 05

The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before

CVE-2017-3730 HIGH POC
7.5 May 04

In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this

CVE-2016-8610 HIGH
7.5 Nov 13

A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto

Share

EUVD-2026-34193 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy