LiveActive security incident?Get immediate response
CVE Record

CVE-2019-3800: CF CLI writes the client id and secret to config file

CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials.

MediumCVSS 6.3Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2019-3800 exposes Cloud Foundry client credentials because affected CF CLI versions saved the client ID and secret in the CLI config file after client-credentials authentication. The risk is local: someone already authenticated on the same system and able to read that file could impersonate the client.

Executive priority

Treat as a moderate credential exposure issue. Prioritize shared administrative systems, CI runners, and developer machines with Cloud Foundry access, because leaked client credentials may let an insider or local attacker act as that client.

Technical view

CF CLI versions before v6.45.0 and CF CLI Release v1.x before v1.16.0 improperly store client credentials in a config file when using the --client-credentials flag. This is CWE-522 credential storage exposure with local attack prerequisites and limited confidentiality, integrity, and availability impact.

Likely exposure

Exposure is most likely on developer workstations, jump hosts, build agents, or automation systems using vulnerable CF CLI versions with client-credential authentication. Systems not using that flag are not shown as affected by the provided sources.

Exploitation context

The source bundle does not show public exploitation or CISA KEV listing. Exploitation requires a local authenticated malicious user with access to the CF CLI config file, limiting internet-scale risk but raising concern on shared or compromised hosts.

Researcher notes

The key condition is authentication with --client-credentials on vulnerable CF CLI versions. Evidence supports local authenticated access only. The provided sources do not establish remote exploitation, active exploitation, or affected products beyond Cloud Foundry CF CLI and CF CLI Release.

Mitigation direction

  • Upgrade CF CLI to v6.45.0 or later where applicable.
  • Upgrade CF CLI Release to v1.16.0 or later where applicable.
  • Check Cloud Foundry and Pivotal advisories for environment-specific guidance.
  • Rotate client credentials that may have been stored on vulnerable systems.
  • Restrict local access to hosts containing CF CLI config files.

Validation and detection

  • Inventory CF CLI versions on workstations, jump hosts, and automation images.
  • Identify users or jobs that authenticated with --client-credentials.
  • Review affected systems for stored CF CLI client credentials.
  • Confirm upgraded systems no longer use vulnerable CF CLI releases.
  • Verify credential rotation for clients used on vulnerable hosts.
Prepared
Confidence
high
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-522: Credential and account abuse lookup

Authentication and credential weaknesses can make valid-account abuse and credential telemetry useful review starting points. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Credential and access behavior lookup

The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2019-3800 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
6.3 (3.0)
Known Exploited
No
Published

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
3Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
6.3CVSS 3.0MediumCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L23.7Primary CVE score

Vulnerability scoring details

Base CVSS 3.0 score

6.3Medium
CVSS 3.0 vector shape for CVE-2019-3800Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
Cloud FoundryCF CLI Releasev1.x before v1.16.0Listed
Cloud FoundryCF CLIversions prior to v6.45.0Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-522 · source CWE mapping

Insufficiently Protected Credentials

Insufficiently Protected Credentials represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.