Skip to main content

Cloud Foundry BOSH EUVDEUVD-2026-34197

| CVE-2026-41011 HIGH
OS Command Injection (CWE-78)
2026-06-04 vmware GHSA-96vc-39m3-22w5
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

6
Patch available
Jun 04, 2026 - 04:15 EUVD
Analysis Updated
Jun 04, 2026 - 03:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 04, 2026 - 03:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 04, 2026 - 03:22 vuln.today
cvss_changed
CVSS changed
Jun 04, 2026 - 03:22 NVD
8.2 (HIGH) 8.7 (HIGH)
Analysis Generated
Jun 04, 2026 - 02:43 vuln.today

DescriptionCVE.org

PackagePersister.validate_tgz builds "tar -tf #{tgz} 2>&1" where tgz = File.join(release_dir, 'packages', "#{name}.tgz") and name = package_meta['name'] comes directly from release.MF inside the uploaded tarball. The string is passed to Bosh::Common::Exec.sh, which executes via %x{} - i.e., /bin/sh -c. No Shellwords.escape is applied. The Models::Package Sequel validation (VALID_ID = /^[-0-9A-Za-z_+.]+$/i) would reject the name, but in create_package (lines 74-79) the shell-out in save_package_source_blob runs before package.save, so validation fires too late.

Affected versions:

  • BOSH: all versions prior to v282.1.12 (inclusive); fixed in v282.1.12 or later

AnalysisAI

Command injection in Cloud Foundry BOSH versions prior to v282.1.12 allows an attacker who can upload a release tarball to execute arbitrary shell commands on the BOSH Director host by embedding shell metacharacters in the package name field of the release.MF manifest. The flaw stems from PackagePersister.validate_tgz interpolating the unsanitized name into a tar -tf invocation executed through /bin/sh -c, with model-level validation occurring only after the shell-out. No public exploit identified at time of analysis, and the bug is not listed in CISA KEV.

Technical ContextAI

BOSH is the Cloud Foundry Foundation's release engineering, deployment, and lifecycle management tool used to deploy and manage distributed systems such as Cloud Foundry itself. The defect is a classic CWE-78 (OS Command Injection): the Ruby helper Bosh::Common::Exec.sh wraps %x{...}, which spawns /bin/sh -c, and PackagePersister.validate_tgz constructs the command string with raw interpolation of package_meta['name'] taken straight from the user-supplied release.MF inside the uploaded tarball. Although Models::Package defines VALID_ID = /^[-0-9A-Za-z_+.]+$/i to reject dangerous names, create_package (lines 74-79) invokes save_package_source_blob - which triggers the shell-out - before package.save runs validation, so Sequel's check never fires in time to block injection. Shellwords.escape is also not applied.

RemediationAI

Vendor-released patch: BOSH v282.1.12 - upgrade the BOSH Director to v282.1.12 or later as the primary fix, per the Cloud Foundry advisory at https://www.cloudfoundry.org/blog/cve-2026-41011-package-name-command-injection/. Until upgrade is possible, restrict who can upload BOSH releases by tightening UAA scopes and team membership so only fully trusted operators hold bosh.releases.upload / admin authority, and gate uploads through an out-of-band review that inspects release.MF for shell metacharacters in package name fields before the tarball reaches the Director; both controls slow legitimate release workflows and are not a substitute for patching. Monitor Director audit logs for unexpected child processes spawned under the tar -tf code path as a detective control.

Share

EUVD-2026-34197 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy