Description
ReleaseJob#unpack builds job_dir = File.join(@release_dir, 'jobs', name) and job_tgz = File.join(@release_dir, 'jobs', "#{name}.tgz") where name returns @job_meta['name'], a value taken verbatim from the jobs: array of the attacker-supplied release.MF inside the uploaded tarball. These paths are then interpolated into a shell string: Bosh::Common::Exec.sh("tar -C #{job_dir} -xf #{job_tgz} 2>&1", :on_error => :return). Bosh::Common::Exec.sh executes via %x{#{command}} (bosh-common/lib/bosh/common/exec.rb:53), i.e. /bin/sh -c, so any shell metacharacters in name are interpreted. FileUtils.mkdir_p(job_dir) on line 49 creates the literal directory (no shell) and succeeds even when the name contains $()/;, so execution reaches the sh call.

Affected versions:
- BOSH Director: all versions prior to v282.1.12 (inclusive); fixed in v282.1.12 or later
Published: 2026-06-04
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs when the ReleaseJob#unpack method constructs filesystem paths from the job name value supplied by an attacker in a release.MF file. This name is interpolated directly into a shell command string that is executed via sh -c, enabling the injection of shell metacharacters and execution of arbitrary commands. The flaw leads to remote code execution with the privileges of the BOSH Director process, potentially compromising the entire control plane.

Affected Systems

Cloud Foundry Foundation BOSH Director, all releases earlier than v282.1.12. The fix is available starting with v282.1.12.

Risk and Exploitability

With a CVSS score of 8.7 the vulnerability is classified as high severity. The EPSS score is not provided, and it is not listed in the CISA KEV catalog, indicating no current public exploits are recorded. Attackers can trigger the injection by uploading a crafted release tarball containing a malicious release.MF. The exploit does not require special pre‑conditions beyond the ability to upload a release, making it potentially exploitable in any BOSH Director environment that accepts external releases.

Generated by OpenCVE AI on June 4, 2026 at 05:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update BOSH Director to v282.1.12 or newer, which removes the unsanitized shell interpolation
  • If an upgrade is not immediately possible, restrict the upload of release packages to trusted sources and validate the release.MF job name to deny shell metacharacters
  • Configure the system to run the tar extraction under a restricted user or within a sandboxed environment to limit the impact of any accidental execution

Generated by OpenCVE AI on June 4, 2026 at 05:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Title Command Injection via ReleaseJob Job Name in BOSH Director

Thu, 04 Jun 2026 04:00:00 +0000

Type Values Removed Values Added
Description ReleaseJob#unpack builds job_dir = File.join(@release_dir, 'jobs', name) and job_tgz = File.join(@release_dir, 'jobs', "#{name}.tgz") where name returns @job_meta['name'], a value taken verbatim from the jobs: array of the attacker-supplied release.MF inside the uploaded tarball. These paths are then interpolated into a shell string: Bosh::Common::Exec.sh("tar -C #{job_dir} -xf #{job_tgz} 2>&1", :on_error => :return). Bosh::Common::Exec.sh executes via %x{#{command}} (bosh-common/lib/bosh/common/exec.rb:53), i.e. /bin/sh -c, so any shell metacharacters in name are interpreted. FileUtils.mkdir_p(job_dir) on line 49 creates the literal directory (no shell) and succeeds even when the name contains $()/;, so execution reaches the sh call. Affected versions: - BOSH Director: all versions prior to v282.1.12 (inclusive); fixed in v282.1.12 or later
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-04T02:27:26.690Z

Reserved: 2026-04-16T02:19:16.427Z

Link: CVE-2026-41010

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T04:17:10.037

Modified: 2026-06-04T04:17:10.037

Link: CVE-2026-41010

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T06:00:08Z

Weaknesses