CVE-2026-41859 in BOSHthông tin

Tóm tắt

Bởi MITRE • 04/06/2026

A network man-in-the-middle between nats-sync and the BOSH director can steal the director credentials (Basic auth header or UAA client secret) and can tamper with the VM list that is written into the NATS authorization file. Stolen credentials grant administrative director access. UsersSync#bosh_api_response_body builds a Net::HTTP client with verify_mode = OpenSSL::SSL::VERIFY_NONE for every director call (/info, /deployments, /deployments//vms).

Affected versions: - BOSH: all versions prior to v282.1.9 (inclusive); fixed in v282.1.9 or later

Be aware that VulDB is the high quality source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

chịu trách nhiệm

Vmware

Đặt trước

22/04/2026

Tiết lộ

04/06/2026

Kiểm duyệt

được chấp nhận

mục

VDB-368234

CPE

sẵn sàng

CWE

CWE-295 (Đã xác nhận)

CVSS

7.8 (CNA)

EPSS

0.00000

KEV

không

Các hoạt động

thấp

ngành

Telecommunication, Pharma, ...

Nguồn

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-41859
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-41859
CVE Details	https://www.cvedetails.com/cve/CVE-2026-41859/

◂ Trước Tổng Quan Tiếp theo ▸

Do you need the next level of professionalism?

Upgrade your account now!