CVE-2016-6658
- Source
- https://cve.org/CVERecord?id=CVE-2016-6658
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-6658.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2016-6658
- Published
- 2018-03-29T22:29:00.477Z
- Modified
- 2026-04-10T03:52:45.044386Z
- Severity
-
- 9.6 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Applications in cf-release before 245 can be configured and pushed with a user-provided custom buildpack using a URL pointing to the buildpack. Although it is not recommended, a user can specify a credential in the URL (basic auth or OAuth) to access the buildpack through the CLI. For example, the user could include a GitHub username and password in the URL to access a private repo. Because the URL to access the buildpack is stored unencrypted, an operator with privileged access to the Cloud Controller database could view these credentials.
- References
Affected packages
Git / github.com/cloudfoundry/cf-release
Affected versions
Other
-
list
log
scotty_09012012
v100
v102
v103
v104
v105
v109
v119
v132
v133
v134
v135
v136
v137
v140
v143
v156
v157
v161
v170
v183
v205
v99
works-for-us
rc145.*
rc145.0
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-6658.json"
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.49"
}
]
},
{
"events": [
{
"introduced": "1.7.0"
},
{
"fixed": "1.7.31"
}
]
},
{
"events": [
{
"introduced": "1.8.0"
},
{
"fixed": "1.8.11"
}
]
}
]