← back
CVE-2018-15796

Signing Key Extraction in Bits Service Release

CVSS 8.1 HIGHEPSS 0.7%
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 8.1EPSS 0.7%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
09 Nov 2018Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Cloud Foundry Bits Service Release, versions prior to 2.14.0, uses an insecure hashing algorithm to sign URLs. A remote malicious user may obtain a signed URL and extract the signing key, allowing them complete read and write access to the the Bits Service storage.
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Affected products
Cloud Foundry · bits-service-release

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://www.cloudfoundry.org/blog/cve-2018-15796