CVE-2018-11081

Summary

Pivotal Operations Manager, versions 2.2.x prior to 2.2.1, 2.1.x prior to 2.1.11, 2.0.x prior to 2.0.16, and 1.11.x prior to 2, fails to write the Operations Manager UAA config onto the temp RAM disk, thus exposing the configs directly onto disk. A remote user that has gained access to the Operations Manager VM, can now file search and find the UAA credentials for Operations Manager on the system disk..

Affected Software

VendorProductVersion RangeStatus
Pivotalpivotal-ops-manager1.11.x <= 2affected
Pivotalpivotal-ops-manager2.0.x < 2.0.16affected
Pivotalpivotal-ops-manager2.1.x < 2.1.11affected
Pivotalpivotal-ops-manager2.2.x < 2.2.1affected

Weaknesses

  • Cleartext Storage in a File or on Disk

ADP Enrichment

CVE Program Container

Additional References

References