{"id":"CVE-2019-3800","details":"CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials.","modified":"2026-04-10T04:18:07.922013Z","published":"2019-08-05T17:15:10.960Z","references":[{"type":"ADVISORY","url":"https://pivotal.io/security/cve-2019-3800"},{"type":"ADVISORY","url":"https://www.cloudfoundry.org/blog/cve-2019-3800"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/bosh-packages/cf-cli-release","events":[{"introduced":"0"},{"fixed":"887987f75ef1e086669d51b267456111fd89efdb"},{"introduced":"0"},{"fixed":"35caa229ead3dc8dceba1dcc22a38b772344539e"},{"introduced":"0"},{"fixed":"70220234548fe75c4d4e2ff138f4552c00e66b16"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.16.0"},{"introduced":"0"},{"fixed":"1.7.0"},{"introduced":"0"},{"fixed":"1.1.0"}]}},{"type":"GIT","repo":"https://github.com/cloudfoundry/app-autoscaler-release","events":[{"introduced":"0"},{"fixed":"c31a2ae24c17f3ca33b8cdea80f2d550abd7a017"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.2.4"}]}},{"type":"GIT","repo":"https://github.com/cloudfoundry/cf-deployment","events":[{"introduced":"0"},{"fixed":"98c1d5af66e2d316711bf8a4cab0d44f88c61fa3"},{"introduced":"0"},{"fixed":"0e09c6903465ef59926c7a44e4613dfd098e3a00"},{"introduced":"0"},{"fixed":"2be1119a9eae25c098d68021330fc15de481c2ae"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"10.0.0"},{"introduced":"0"},{"fixed":"9.3.0"},{"introduced":"0"},{"fixed":"0.29.0"}]}},{"type":"GIT","repo":"https://github.com/cloudfoundry/cf-networking-release","events":[{"introduced":"0"},{"fixed":"12f0f71df65ae17c1d29f7171d4822df95302058"},{"introduced":"0"},{"fixed":"7b05a41fb56d6c9296cbf40e74d9834ea09b757e"},{"introduced":"2056256358fcec8c05b3c35eb7ce259850772a9d"},{"fixed":"7efa2384ede63f0013ec2b3ff7fa6f943fca4f46"},{"introduced":"0"},{"fixed":"94ff6c8187ac070601c2e7e54273c30751c594eb"},{"introduced":"0"},{"fixed":"abab3cf09f2c7c038fef6e3903eadb3fd9d77072"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.23.0"},{"introduced":"0"},{"fixed":"1.3.2"},{"introduced":"1.8.0"},{"fixed":"1.8.4"},{"introduced":"0"},{"fixed":"3.11.0"},{"introduced":"0"},{"fixed":"1.0.1"}]}},{"type":"GIT","repo":"https://github.com/cloudfoundry/cli","events":[{"introduced":"0"},{"fixed":"5f9ff16f99a0345f98f147765db0e36aef91c795"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"6.45.0"}]}},{"type":"GIT","repo":"https://github.com/cloudfoundry/log-cache-release","events":[{"introduced":"0"},{"fixed":"809710fa4a787e876fd5106e365931c0be158d25"},{"introduced":"6d70e8c3099a2c660be67f33f930fac354d66fa6"},{"fixed":"c6d5187a140170c18c93bcaf404a16c38e3a6fad"},{"introduced":"0"},{"fixed":"81f912db0308d5f516ffe5480e3581b601f23057"},{"introduced":"0"},{"fixed":"a09388056b6236b582281da5a8f221c2d03bb8e4"},{"introduced":"0"},{"fixed":"a09388056b6236b582281da5a8f221c2d03bb8e4"},{"introduced":"0"},{"fixed":"a09388056b6236b582281da5a8f221c2d03bb8e4"},{"introduced":"0"},{"fixed":"a09388056b6236b582281da5a8f221c2d03bb8e4"},{"introduced":"0"},{"fixed":"a09388056b6236b582281da5a8f221c2d03bb8e4"},{"introduced":"0"},{"fixed":"a09388056b6236b582281da5a8f221c2d03bb8e4"},{"introduced":"0"},{"fixed":"a09388056b6236b582281da5a8f221c2d03bb8e4"},{"introduced":"0"},{"fixed":"b61ab3d28715f3ba1f7ced52cf8224b38117773f"},{"introduced":"0"},{"fixed":"59d15d156471b79d89056d0948dcad503e8f536e"},{"introduced":"0"},{"fixed":"750c6a78bf0fb5776a9baedba317badb23f8061c"},{"introduced":"0"},{"fixed":"a415333e2dbb4e5f02040b64d7a310c6d4c8265d"},{"introduced":"0"},{"fixed":"77eeb0d0b5301d91063a95e161e9fa64369caa7e"},{"introduced":"0"},{"fixed":"a09388056b6236b582281da5a8f221c2d03bb8e4"},{"introduced":"0"},{"fixed":"27d7783d9f390f8daf33f5cc9b59412cc6e745c2"},{"introduced":"0"},{"fixed":"27d7783d9f390f8daf33f5cc9b59412cc6e745c2"},{"introduced":"0"},{"fixed":"a415333e2dbb4e5f02040b64d7a310c6d4c8265d"},{"introduced":"0"},{"fixed":"a415333e2dbb4e5f02040b64d7a310c6d4c8265d"},{"introduced":"0"},{"fixed":"a415333e2dbb4e5f02040b64d7a310c6d4c8265d"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.3.1"},{"introduced":"1.4.0"},{"fixed":"1.4.7"},{"introduced":"0"},{"fixed":"1.2"},{"introduced":"0"},{"fixed":"2.1.2"},{"introduced":"0"},{"fixed":"2.1.2"},{"introduced":"0"},{"fixed":"2.1.2"},{"introduced":"0"},{"fixed":"2.1.2"},{"introduced":"0"},{"fixed":"2.1.2"},{"introduced":"0"},{"fixed":"2.1.2"},{"introduced":"0"},{"fixed":"2.1.2"},{"introduced":"0"},{"fixed":"3.1.3"},{"introduced":"0"},{"fixed":"3.1.1"},{"introduced":"0"},{"fixed":"2.2.0"},{"introduced":"0"},{"fixed":"1.1.1"},{"introduced":"0"},{"fixed":"1.4.2"},{"introduced":"0"},{"fixed":"2.1.2"},{"introduced":"0"},{"fixed":"1.4.1"},{"introduced":"0"},{"fixed":"1.4.1"},{"introduced":"0"},{"fixed":"1.1.1"},{"introduced":"0"},{"fixed":"1.1.1"},{"introduced":"0"},{"fixed":"1.1.1"}]}},{"type":"GIT","repo":"https://github.com/cloudfoundry/routing-release","events":[{"introduced":"0"},{"fixed":"07fdc7dd37d538f5f4616b72ea51ccf329d0d02d"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.189.0"}]}},{"type":"GIT","repo":"https://github.com/redis/redis","events":[{"introduced":"a502f48320f1e4aab3ee4020a99a6430a42da9a9"},{"fixed":"1fa954a558ae504040632bad44bc0b3663bbb17d"},{"introduced":"0"},{"fixed":"54a2934f10b4379dc3dc8072f440ed3985eff7f8"}],"database_specific":{"versions":[{"introduced":"2.4.0"},{"fixed":"2.4.10"},{"introduced":"0"},{"fixed":"2.4.4"}]}}],"versions":["0.0.1-cli","0.0.2-cli","0.0.3-cli","0.1.0","0.1.1","0.118.0","0.12.0","0.121.0","0.123.0","0.13.0","0.134.0","0.136.0","0.137.0","0.142.0","0.147.0","0.15.0","0.154.0","0.157.0","0.160.0","0.162.0","0.166.0","0.17.0","0.171.0","0.172.0","0.173.0","0.174.0","0.175.0","0.176.0","0.178.0","0.179.0","0.180.0","0.183.0","0.184.0","0.186.0","0.187.0","0.2.0","0.2.1","0.20.0","0.21.0","0.24.0","0.5.0","0.62.0","0.66.0","0.69.0","0.8.0","0.99.0","1.0.0","1.10.0","1.3.4","1.4.0","1.5.0","1.6.0","1.7.0","1.8.1","1.8.2","1.8.3","2.18.0","2.21.0","2.22.0","2.32.0","2.33.0","2.36.0","2.4.0","2.4.1","2.4.2","2.4.3","2.4.4","2.4.5","2.4.6","2.4.7","2.4.8","2.4.9","2.41.0","2.42.0","2.43.0","3.0.0","3.1.0","3.2.0","3.3.0","3.5.0","3.7.0","3.8.0","3.9.0","push","st","v0.0.0","v0.0.1","v0.0.1-cli","v0.0.1.alpha","v0.0.2","v0.0.2-cli","v0.0.3-cli","v0.1","v0.1.0","v0.10.0","v0.11.0","v0.12.0","v0.13.0","v0.14.0","v0.15.0","v0.17.0","v0.2.0","v0.2.1","v0.2.2","v0.20.0","v0.21.0","v0.24.0","v0.28.0","v0.29.0","v0.3.0","v0.30.0","v0.31.0","v0.32.0","v0.33.0","v0.34.0","v0.35.0","v0.36.0","v0.37.0","v0.4.0","v0.5.0","v0.7.0","v0.8.0","v0.9.0","v0.9.1","v1.0.0","v1.1.0","v1.1.1","v1.10.0","v1.11.0","v1.12.0","v1.13.0","v1.14.0","v1.15.0","v1.16.0","v1.17.0","v1.18.0","v1.19.0","v1.2.0","v1.2.1","v1.2.3","v1.20.0","v1.21.0","v1.22.0","v1.23.0","v1.24.0","v1.25.0","v1.26.0","v1.27.0","v1.28.0","v1.29.0","v1.3.0","v1.3.4","v1.30.0","v1.31.0","v1.32.0","v1.33.0","v1.34.0","v1.35.0","v1.36.0","v1.37.0","v1.38.0","v1.4.0","v1.4.1","v1.4.2","v1.4.4","v1.4.6","v1.5.0","v1.6.0","v1.7.0","v1.8.0","v1.8.1","v1.8.2","v1.8.3","v1.9.0","v2.0.0","v2.0.1","v2.1.0","v2.10.0","v2.10.1","v2.10.2","v2.10.3","v2.11.0","v2.11.1","v2.11.10","v2.11.11","v2.11.12","v2.11.13","v2.11.2","v2.11.3","v2.11.4","v2.11.5","v2.11.6","v2.11.7","v2.11.8","v2.11.9","v2.12.0","v2.12.1","v2.12.2","v2.12.3","v2.12.4","v2.12.5","v2.12.6","v2.2.0","v2.3.0","v2.4.0","v2.5.0","v2.5.2","v2.6.0","v2.6.6","v2.7.0","v2.8.0","v2.9.0","v3.0.0","v3.0.1","v3.0.10","v3.0.11","v3.0.12","v3.0.2","v3.0.3","v3.0.4","v3.0.5","v3.0.6","v3.0.7","v3.0.8","v3.0.9","v3.1.0","v3.1.1","v3.1.2","v3.10.0","v3.2.0","v3.3.0","v3.4.0","v3.5.0","v3.6.0","v3.9.0","v4.0.0","v4.1.0","v4.2.0","v4.3.0","v4.4.0","v4.5.0","v5.0.0","v5.1.0","v5.3.0","v5.4.0","v5.5.0","v6.0.0","v6.0.0-beta","v6.0.0-beta2","v6.0.1234","v6.1.0","v6.1.1","v6.1.2","v6.10.0","v6.11.0","v6.11.1","v6.11.2","v6.11.3","v6.12.0","v6.12.1","v6.12.2","v6.12.3","v6.12.4","v6.13.0","v6.14.0","v6.14.1","v6.15.0","v6.16.0","v6.17.0","v6.17.1","v6.18.0","v6.18.1","v6.19.0","v6.2.0","v6.20.0","v6.21.0","v6.21.1","v6.22.1","v6.23.0","v6.23.1","v6.24.0","v6.25.0","v6.26.0","v6.27.0","v6.28.0","v6.29.0","v6.29.1","v6.29.2","v6.3.0","v6.3.1","v6.3.2","v6.30.0","v6.31.0","v6.32.0","v6.33.0","v6.33.1","v6.34.0","v6.34.1","v6.35.0","v6.35.1","v6.35.2","v6.36.0","v6.36.1","v6.37.0","v6.38.0","v6.39.0","v6.39.1","v6.4.0","v6.40.0","v6.40.1","v6.41.0","v6.42.0","v6.43.0","v6.43.1-1","v6.44.0","v6.44.1","v6.5.0","v6.5.1","v6.6.0","v6.6.1","v6.6.2","v6.7.0","v6.8.0","v6.9.0","v7.0.0","v7.1.0","v7.10.0","v7.11.0","v7.2.0","v7.3.0","v7.4.0","v7.5.0","v7.6.0","v7.8.0","v7.9.0","v8.0.0","v8.1.0","v9.0.0","v9.1.0","v9.2.0","v9000","v9001"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"58"}]},{"events":[{"introduced":"0"},{"fixed":"40.0.113"}]},{"events":[{"introduced":"2.3.0"},{"fixed":"2.3.14"}]},{"events":[{"introduced":"2.5.0"},{"fixed":"2.5.6"}]},{"events":[{"introduced":"0"},{"fixed":"219"}]},{"events":[{"introduced":"0"},{"fixed":"1.2.8"}]},{"events":[{"introduced":"1.5.0"},{"fixed":"1.5.4"}]},{"events":[{"introduced":"0"},{"fixed":"1.4.13"}]},{"events":[{"introduced":"1.7.0"},{"fixed":"1.7.5"}]},{"events":[{"introduced":"1.9.0"},{"fixed":"1.9.1"}]},{"events":[{"introduced":"0"},{"fixed":"4.7.652"}]},{"events":[{"introduced":"0"},{"fixed":"4.6.64"}]},{"events":[{"introduced":"0"},{"fixed":"4.7.712"}]},{"events":[{"introduced":"0"},{"fixed":"1.0.2"}]},{"events":[{"introduced":"0"},{"fixed":"4.2.3"}]},{"events":[{"introduced":"0"},{"fixed":"1.1.17"}]},{"events":[{"introduced":"0"},{"fixed":"1.12.64"}]},{"events":[{"introduced":"0"},{"fixed":"10.21.1-bl516"}]},{"events":[{"introduced":"0"},{"fixed":"1.0.3"}]},{"events":[{"introduced":"0"},{"fixed":"2.3.2"}]},{"events":[{"introduced":"0"},{"fixed":"1.2.14"}]},{"events":[{"introduced":"0"},{"fixed":"1.0.2"}]},{"events":[{"introduced":"0"},{"fixed":"1.1.8"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-3800.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}