During bosh create-env and bosh delete-env, the CLI uploads compiled CPI packages and rendered job templates to the new VM's DAV blobstore over HTTPS without verifying the server certificate, even though a CA certificate for that endpoint is available in the installation manifest. A network attacker can terminate the TLS connection, harvest the Basic-auth credentials, and read the rendered-templates archive containing every bootstrap secret for the new BOSH Director, then replay the credentials against the real VM's agent for root code execution.
Affected versions: bosh-cli versions prior to v7.10.4.
Metrics
Affected Vendors & Products
References
History
Thu, 09 Jul 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 09 Jul 2026 07:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | During bosh create-env and bosh delete-env, the CLI uploads compiled CPI packages and rendered job templates to the new VM's DAV blobstore over HTTPS without verifying the server certificate, even though a CA certificate for that endpoint is available in the installation manifest. A network attacker can terminate the TLS connection, harvest the Basic-auth credentials, and read the rendered-templates archive containing every bootstrap secret for the new BOSH Director, then replay the credentials against the real VM's agent for root code execution. Affected versions: bosh-cli versions prior to v7.10.4. | |
| Title | Missing TLS Certificate Verification in BOSH CLI Allows Root Code Execution via Man-in-the-Middle Credential Replay | |
| References |
| |
| Metrics |
cvssV3_0
|
Status: PUBLISHED
Assigner: vmware
Published:
Updated: 2026-07-09T12:50:23.498Z
Reserved: 2026-05-20T10:00:48.931Z
Link: CVE-2026-47828
Updated: 2026-07-09T12:50:20.424Z
No data.
No data.
OpenCVE Enrichment
No data.