CVE-2016-6658 Incomplete fix for Credential Vulnerability for Custom
Buildpacks
Severity

Medium
Vendor

Cloud Foundry Foundation
Versions Affected

-

cf-release versions prior to 245

Description

This CVE addresses an incomplete fix for CVE-2016-6638, a credential
vulnerability in the Cloud Controller database.

Original text of CVE-2016-6658: Applications can be configured and pushed
with a user-provided custom buildpack using a URL pointing to the
buildpack. Although it is not recommended, a user can specify a credential
in the URL (basic auth or OAuth) to access the buildpack through the CLI.
For example, the user could include a GitHub username and password in the
URL to access a private repository. Because the URL to access the buildpack
is stored unencrypted, an operator with privileged access to the Cloud
Controller database could view these credentials.
Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

-

Upgrade to Cloud Foundry v245 [1] or later

Credit

Cloud Foundry Cloud Controller Team
References

-

[1] https://github.com/cloudfoundry/cf-release/releases/tag/v245

History

2016-09-07: Initial vulnerability report published for CVE-2016-6638

2016-11-02: Vulnerability report published for CVE-2016-6658