Skip to main content

BOSH Director EUVDEUVD-2026-34198

| CVE-2026-41010 HIGH
OS Command Injection (CWE-78)
2026-06-04 vmware GHSA-gmvv-r68v-m7x9
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

6
Patch available
Jun 04, 2026 - 05:00 EUVD
Analysis Updated
Jun 04, 2026 - 04:29 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 04, 2026 - 04:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 04, 2026 - 04:22 vuln.today
cvss_changed
CVSS changed
Jun 04, 2026 - 04:22 NVD
8.2 (HIGH) 8.7 (HIGH)
Analysis Generated
Jun 04, 2026 - 04:14 vuln.today

DescriptionCVE.org

ReleaseJob#unpack builds job_dir = File.join(@release_dir, 'jobs', name) and job_tgz = File.join(@release_dir, 'jobs', "#{name}.tgz") where name returns @job_meta['name'], a value taken verbatim from the jobs: array of the attacker-supplied release.MF inside the uploaded tarball. These paths are then interpolated into a shell string: Bosh::Common::Exec.sh("tar -C #{job_dir} -xf #{job_tgz} 2>&1", :on_error => :return). Bosh::Common::Exec.sh executes via %x{#{command}} (bosh-common/lib/bosh/common/exec.rb:53), i.e. /bin/sh -c, so any shell metacharacters in name are interpreted. FileUtils.mkdir_p(job_dir) on line 49 creates the literal directory (no shell) and succeeds even when the name contains $()/;, so execution reaches the sh call.

Affected versions:

  • BOSH Director: all versions prior to v282.1.12 (inclusive); fixed in v282.1.12 or later

AnalysisAI

Command injection in Cloud Foundry BOSH Director (all versions prior to v282.1.12) allows an authenticated release uploader to achieve arbitrary OS command execution on the Director by embedding shell metacharacters in the jobs[].name field of a release.MF manifest inside an uploaded tarball. The unsafe value flows from ReleaseJob#unpack into a /bin/sh -c invocation via Bosh::Common::Exec.sh, so payloads such as $(...) or ; are interpreted by the shell during release unpacking. No public exploit identified at time of analysis; no CISA KEV listing, but the Cloud Foundry Foundation has published an advisory and a fixed release.

Technical ContextAI

BOSH is the Cloud Foundry release-engineering and deployment tool that manages VM/container lifecycles across IaaS providers; the Director is its central orchestration component. The vulnerable code path is in jobs/release_job.rb (ReleaseJob#unpack), which composes job_dir and job_tgz with File.join using @job_meta['name'] read straight from the attacker-controlled release.MF YAML, then interpolates both paths into a tar command passed to Bosh::Common::Exec.sh. That helper executes its argument through Ruby's %x{} backticks (bosh-common/lib/bosh/common/exec.rb:53), which spawn /bin/sh -c and therefore evaluate metacharacters like $(), backticks, ;, and |. FileUtils.mkdir_p tolerates these characters at the filesystem layer, so the malicious value survives long enough to reach the shell. This is a textbook CWE-78 (OS Command Injection) caused by mixing untrusted manifest data with string-built shell commands rather than using an argv-array exec form.

RemediationAI

Vendor-released patch: BOSH Director v282.1.12 - upgrade the Director (and any HA/standby Directors) to v282.1.12 or later as documented at https://www.cloudfoundry.org/blog/cve-2026-41010-release-job-name-command-injection-on-bosh-director/. As a compensating control until the upgrade is deployed, tightly restrict who holds bosh.releases.upload (or equivalent UAA scope) and revoke release-upload permissions from shared CI service accounts, since exploitation requires the ability to upload a malicious release tarball; this has the side effect of breaking automated release pipelines that depend on those accounts. Additionally, review and lock down ingress to the Director API so only trusted jumpboxes/CI runners can reach it, and audit recent release uploads for jobs whose name field contains shell metacharacters ($, `, ;, |, &, newline) as an indicator of attempted exploitation.

Share

EUVD-2026-34198 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy