Bosh
Monthly
Command injection in Cloud Foundry BOSH versions prior to v282.1.12 allows an attacker who can upload a release tarball to execute arbitrary shell commands on the BOSH Director host by embedding shell metacharacters in the package name field of the release.MF manifest. The flaw stems from PackagePersister.validate_tgz interpolating the unsanitized name into a `tar -tf` invocation executed through `/bin/sh -c`, with model-level validation occurring only after the shell-out. No public exploit identified at time of analysis, and the bug is not listed in CISA KEV.
Arbitrary blobstore deletion in BOSH Director allows a compromised, high-privileged BOSH-managed VM to delete any object from the shared Director blobstore by injecting crafted NATS reply messages. All BOSH Director versions prior to v282.1.12 are affected, with the root cause being a complete absence of UUID-format validation, ownership checks, and namespace prefixing in ResourceManager before executing blobstore.delete(). An attacker leveraging this post-compromise path can corrupt or destroy deployment artifacts, compiled packages, and release binaries relied upon by dependent deployments, producing cascading availability failures across the BOSH environment. No public exploit or active exploitation has been identified at time of analysis; SSVC confirms exploitation status as none.
Path traversal in BOSH Director allows a compromised BOSH agent to cause the Director to read and delete arbitrary files outside the blobstore root on the Director host filesystem. When the Director processes long-running operations such as compile_package and is configured with the local blobstore provider, agent-supplied blob IDs in the reply JSON are passed unmodified into filesystem path construction, enabling traversal strings like '../../jobs/director/config/director.yml' to resolve to sensitive files. No public exploit exists and no active exploitation has been identified; the CVSS 4.0 score of 4.3 reflects the significant prerequisite barriers including high privilege requirements and a specific non-default configuration.
Cloud Foundry BOSH 270.x versions prior to v270.1.1, contain a BOSH Director that does not properly redact credentials when configured to use a MySQL database. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Cloud Foundry BOSH, versions v264 prior to v264.14.0 and v265 prior to v265.7.0 and v266 prior to v266.8.0 and v267 prior to v267.2.0, allows refresh tokens to be as access tokens when using UAA for. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
An issue was discovered in Cloud Foundry Foundation BOSH Release 261.x versions prior to 261.3 and all 260.x versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Command injection in Cloud Foundry BOSH versions prior to v282.1.12 allows an attacker who can upload a release tarball to execute arbitrary shell commands on the BOSH Director host by embedding shell metacharacters in the package name field of the release.MF manifest. The flaw stems from PackagePersister.validate_tgz interpolating the unsanitized name into a `tar -tf` invocation executed through `/bin/sh -c`, with model-level validation occurring only after the shell-out. No public exploit identified at time of analysis, and the bug is not listed in CISA KEV.
Arbitrary blobstore deletion in BOSH Director allows a compromised, high-privileged BOSH-managed VM to delete any object from the shared Director blobstore by injecting crafted NATS reply messages. All BOSH Director versions prior to v282.1.12 are affected, with the root cause being a complete absence of UUID-format validation, ownership checks, and namespace prefixing in ResourceManager before executing blobstore.delete(). An attacker leveraging this post-compromise path can corrupt or destroy deployment artifacts, compiled packages, and release binaries relied upon by dependent deployments, producing cascading availability failures across the BOSH environment. No public exploit or active exploitation has been identified at time of analysis; SSVC confirms exploitation status as none.
Path traversal in BOSH Director allows a compromised BOSH agent to cause the Director to read and delete arbitrary files outside the blobstore root on the Director host filesystem. When the Director processes long-running operations such as compile_package and is configured with the local blobstore provider, agent-supplied blob IDs in the reply JSON are passed unmodified into filesystem path construction, enabling traversal strings like '../../jobs/director/config/director.yml' to resolve to sensitive files. No public exploit exists and no active exploitation has been identified; the CVSS 4.0 score of 4.3 reflects the significant prerequisite barriers including high privilege requirements and a specific non-default configuration.
Cloud Foundry BOSH 270.x versions prior to v270.1.1, contain a BOSH Director that does not properly redact credentials when configured to use a MySQL database. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Cloud Foundry BOSH, versions v264 prior to v264.14.0 and v265 prior to v265.7.0 and v266 prior to v266.8.0 and v267 prior to v267.2.0, allows refresh tokens to be as access tokens when using UAA for. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
An issue was discovered in Cloud Foundry Foundation BOSH Release 261.x versions prior to 261.3 and all 260.x versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.