VYPR

Bosh

by Cloudfoundry

Source repositories

CVEs (6)

  • CVE-2026-41860HigJun 4, 2026
    risk 0.57cvss 8.8epss 0.00

    CWE-326 in BOSH allows a local attacker to steal Basic-auth credentials or redirect UAA token requests via MITM. HttpRequestHelper#create_async_endpoint and #send_http_get_request_synchronous hard-code OpenSSL::SSL::VERIFY_NONE, enabling an attacker to intercept traffic between…

  • CVE-2017-4961HigJun 13, 2017
    risk 0.57cvss 8.8epss 0.00

    An issue was discovered in Cloud Foundry Foundation BOSH Release 261.x versions prior to 261.3 and all 260.x versions. In certain cases an authenticated Director user can provide a malicious checksum that could allow them to escalate their privileges on the Director VM, aka…

  • CVE-2026-41011HigJun 4, 2026
    risk 0.53cvss 8.2epss 0.00

    PackagePersister.validate_tgz builds "tar -tf #{tgz} 2>&1" where tgz = File.join(release_dir, 'packages', "#{name}.tgz") and name = package_meta['name'] comes directly from release.MF inside the uploaded tarball. The string is passed to Bosh::Common::Exec.sh, which executes via…

  • CVE-2018-11083HigOct 5, 2018
    risk 0.53cvss 8.1epss 0.01

    Cloud Foundry BOSH, versions v264 prior to v264.14.0 and v265 prior to v265.7.0 and v266 prior to v266.8.0 and v267 prior to v267.2.0, allows refresh tokens to be as access tokens when using UAA for authentication. A remote attacker with an admin refresh token given by UAA can…

  • CVE-2026-41859HigJun 4, 2026
    risk 0.51cvss 7.8epss 0.00

    A network man-in-the-middle between nats-sync and the BOSH director can steal the director credentials (Basic auth header or UAA client secret) and can tamper with the VM list that is written into the NATS authorization file. Stolen credentials grant administrative director…

  • CVE-2026-41704MedMay 27, 2026
    risk 0.33cvss 5.0epss 0.00

    AgentClient#handle_method (lines 264-303) processes every NATS reply. It calls inject_compile_log (line 273) on every response, which reads response['value']['result']['compile_log_id'] (line 332-338) and passes it to download_and_delete_blob. Separately, any response containing…