Skip to main content

Bosh

6 CVEs product

Monthly

CVE-2026-41011 HIGH PATCH This Week

Command injection in Cloud Foundry BOSH versions prior to v282.1.12 allows an attacker who can upload a release tarball to execute arbitrary shell commands on the BOSH Director host by embedding shell metacharacters in the package name field of the release.MF manifest. The flaw stems from PackagePersister.validate_tgz interpolating the unsanitized name into a `tar -tf` invocation executed through `/bin/sh -c`, with model-level validation occurring only after the shell-out. No public exploit identified at time of analysis, and the bug is not listed in CISA KEV.

Command Injection Bosh
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-41704 MEDIUM PATCH This Month

Arbitrary blobstore deletion in BOSH Director allows a compromised, high-privileged BOSH-managed VM to delete any object from the shared Director blobstore by injecting crafted NATS reply messages. All BOSH Director versions prior to v282.1.12 are affected, with the root cause being a complete absence of UUID-format validation, ownership checks, and namespace prefixing in ResourceManager before executing blobstore.delete(). An attacker leveraging this post-compromise path can corrupt or destroy deployment artifacts, compiled packages, and release binaries relied upon by dependent deployments, producing cascading availability failures across the BOSH environment. No public exploit or active exploitation has been identified at time of analysis; SSVC confirms exploitation status as none.

Authentication Bypass Bosh
NVD
CVSS 4.0
6.8
EPSS
0.0%
CVE-2026-41009 MEDIUM PATCH This Month

Path traversal in BOSH Director allows a compromised BOSH agent to cause the Director to read and delete arbitrary files outside the blobstore root on the Director host filesystem. When the Director processes long-running operations such as compile_package and is configured with the local blobstore provider, agent-supplied blob IDs in the reply JSON are passed unmodified into filesystem path construction, enabling traversal strings like '../../jobs/director/config/director.yml' to resolve to sensitive files. No public exploit exists and no active exploitation has been identified; the CVSS 4.0 score of 4.3 reflects the significant prerequisite barriers including high privilege requirements and a specific non-default configuration.

Path Traversal Bosh
NVD
CVSS 4.0
4.3
EPSS
0.0%
CVE-2019-11271 HIGH This Week

Cloud Foundry BOSH 270.x versions prior to v270.1.1, contain a BOSH Director that does not properly redact credentials when configured to use a MySQL database. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Bosh
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2018-11083 HIGH This Week

Cloud Foundry BOSH, versions v264 prior to v264.14.0 and v265 prior to v265.7.0 and v266 prior to v266.8.0 and v267 prior to v267.2.0, allows refresh tokens to be as access tokens when using UAA for. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Bosh
NVD
CVSS 3.1
8.1
EPSS
1.5%
CVE-2017-4961 HIGH This Week

An issue was discovered in Cloud Foundry Foundation BOSH Release 261.x versions prior to 261.3 and all 260.x versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Bosh
NVD
CVSS 3.0
8.8
EPSS
0.2%
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Command injection in Cloud Foundry BOSH versions prior to v282.1.12 allows an attacker who can upload a release tarball to execute arbitrary shell commands on the BOSH Director host by embedding shell metacharacters in the package name field of the release.MF manifest. The flaw stems from PackagePersister.validate_tgz interpolating the unsanitized name into a `tar -tf` invocation executed through `/bin/sh -c`, with model-level validation occurring only after the shell-out. No public exploit identified at time of analysis, and the bug is not listed in CISA KEV.

Command Injection Bosh
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Arbitrary blobstore deletion in BOSH Director allows a compromised, high-privileged BOSH-managed VM to delete any object from the shared Director blobstore by injecting crafted NATS reply messages. All BOSH Director versions prior to v282.1.12 are affected, with the root cause being a complete absence of UUID-format validation, ownership checks, and namespace prefixing in ResourceManager before executing blobstore.delete(). An attacker leveraging this post-compromise path can corrupt or destroy deployment artifacts, compiled packages, and release binaries relied upon by dependent deployments, producing cascading availability failures across the BOSH environment. No public exploit or active exploitation has been identified at time of analysis; SSVC confirms exploitation status as none.

Authentication Bypass Bosh
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Path traversal in BOSH Director allows a compromised BOSH agent to cause the Director to read and delete arbitrary files outside the blobstore root on the Director host filesystem. When the Director processes long-running operations such as compile_package and is configured with the local blobstore provider, agent-supplied blob IDs in the reply JSON are passed unmodified into filesystem path construction, enabling traversal strings like '../../jobs/director/config/director.yml' to resolve to sensitive files. No public exploit exists and no active exploitation has been identified; the CVSS 4.0 score of 4.3 reflects the significant prerequisite barriers including high privilege requirements and a specific non-default configuration.

Path Traversal Bosh
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Cloud Foundry BOSH 270.x versions prior to v270.1.1, contain a BOSH Director that does not properly redact credentials when configured to use a MySQL database. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Bosh
NVD
EPSS 1% CVSS 8.1
HIGH This Week

Cloud Foundry BOSH, versions v264 prior to v264.14.0 and v265 prior to v265.7.0 and v266 prior to v266.8.0 and v267 prior to v267.2.0, allows refresh tokens to be as access tokens when using UAA for. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Bosh
NVD
EPSS 0% CVSS 8.8
HIGH This Week

An issue was discovered in Cloud Foundry Foundation BOSH Release 261.x versions prior to 261.3 and all 260.x versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Bosh
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy