Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2016-4435

An endpoint of the Agent running on the BOSH Director VM with stemcell versions prior to 3232.6 and 3146.13 may allow unauthenticated clients to read or write blobs or cause a denial of service attack on the Director VM. This vulnerability requires that the unauthenticated clients guess or find a URL matching an existing GUID.

Published

2017-05-25T17:29:00.677

Last Modified

2025-04-20T01:37:25.860

Status

Deferred

Source

[email protected]

Severity

CVSSv3.0: 9.0 (CRITICAL)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.6

Impact Score

6.4

Weaknesses

Type: Primary
CWE-264

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	pivotal	bosh_stemcell	≤ 3232.4	Yes
Application	pivotal	bosh_stemcell	3146.13	Yes

References

https://pivotal.io/security/cve-2016-4435 Third Party Advisory ([email protected])
https://pivotal.io/security/cve-2016-4435 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)