Bpm Release
Monthly
Symlink-following in Cloud Foundry bpm-release's setupBpmLogs function enables a container-to-host confidentiality breach, allowing a compromised low-privileged process inside a bpm container to manipulate root into chowning an arbitrary host file - including /etc/shadow - to the vcap user. All bpm-release versions prior to v1.4.30 are affected. Once ownership of /etc/shadow is taken, the attacker reads every host password hash via bpm's existing read-only /etc bind mount, effectively breaking the container boundary without requiring any user interaction. No public exploit or CISA KEV listing has been identified at time of analysis, though the low attack complexity and clear exploitation path make this a credible near-term risk.
Symlink-following in Cloud Foundry bpm-release's setupBpmLogs function enables a container-to-host confidentiality breach, allowing a compromised low-privileged process inside a bpm container to manipulate root into chowning an arbitrary host file - including /etc/shadow - to the vcap user. All bpm-release versions prior to v1.4.30 are affected. Once ownership of /etc/shadow is taken, the attacker reads every host password hash via bpm's existing read-only /etc bind mount, effectively breaking the container boundary without requiring any user interaction. No public exploit or CISA KEV listing has been identified at time of analysis, though the low attack complexity and clear exploitation path make this a credible near-term risk.