Description
ReleaseJob#unpack builds job_dir = File.join(@release_dir, 'jobs', name) and job_tgz = File.join(@release_dir, 'jobs', "#{name}.tgz") where name returns @job_meta['name'], a value taken verbatim from the jobs: array of the attacker-supplied release.MF inside the uploaded tarball. These paths are then interpolated into a shell string: Bosh::Common::Exec.sh("tar -C #{job_dir} -xf #{job_tgz} 2>&1", :on_error => :return). Bosh::Common::Exec.sh executes via %x{#{command}} (bosh-common/lib/bosh/common/exec.rb:53), i.e. /bin/sh -c, so any shell metacharacters in name are interpreted. FileUtils.mkdir_p(job_dir) on line 49 creates the literal directory (no shell) and succeeds even when the name contains $()/;, so execution reaches the sh call.

Affected versions:
- BOSH Director: all versions prior to v282.1.12 (inclusive); fixed in v282.1.12 or later
Published: 2026-06-04
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs when the ReleaseJob#unpack method constructs filesystem paths from the job name value supplied by an attacker in a release.MF file. This name is interpolated directly into a shell command string that is executed via sh -c, enabling the injection of shell metacharacters and execution of arbitrary commands. The flaw leads to remote code execution with the privileges of the BOSH Director process, potentially compromising the entire control plane.

Affected Systems

Cloud Foundry Foundation BOSH Director, all releases earlier than v282.1.12. The fix is available starting with v282.1.12.

Risk and Exploitability

With a CVSS score of 8.7 the vulnerability is classified as high severity. The EPSS score is not provided, and it is not listed in the CISA KEV catalog, indicating no current public exploits are recorded. Attackers can trigger the injection by uploading a crafted release tarball containing a malicious release.MF. The exploit does not require special pre‑conditions beyond the ability to upload a release, making it potentially exploitable in any BOSH Director environment that accepts external releases.

Generated by OpenCVE AI on June 4, 2026 at 05:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update BOSH Director to v282.1.12 or newer, which removes the unsanitized shell interpolation
  • If an upgrade is not immediately possible, restrict the upload of release packages to trusted sources and validate the release.MF job name to deny shell metacharacters
  • Configure the system to run the tar extraction under a restricted user or within a sandboxed environment to limit the impact of any accidental execution

Generated by OpenCVE AI on June 4, 2026 at 05:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Cloud Foundry Foundation
Cloud Foundry Foundation bosh Director
Vendors & Products Cloud Foundry Foundation
Cloud Foundry Foundation bosh Director

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Title Command Injection via ReleaseJob Job Name in BOSH Director

Thu, 04 Jun 2026 04:00:00 +0000

Type Values Removed Values Added
Description ReleaseJob#unpack builds job_dir = File.join(@release_dir, 'jobs', name) and job_tgz = File.join(@release_dir, 'jobs', "#{name}.tgz") where name returns @job_meta['name'], a value taken verbatim from the jobs: array of the attacker-supplied release.MF inside the uploaded tarball. These paths are then interpolated into a shell string: Bosh::Common::Exec.sh("tar -C #{job_dir} -xf #{job_tgz} 2>&1", :on_error => :return). Bosh::Common::Exec.sh executes via %x{#{command}} (bosh-common/lib/bosh/common/exec.rb:53), i.e. /bin/sh -c, so any shell metacharacters in name are interpreted. FileUtils.mkdir_p(job_dir) on line 49 creates the literal directory (no shell) and succeeds even when the name contains $()/;, so execution reaches the sh call. Affected versions: - BOSH Director: all versions prior to v282.1.12 (inclusive); fixed in v282.1.12 or later
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Cloud Foundry Foundation Bosh Director
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-04T12:49:27.773Z

Reserved: 2026-04-16T02:19:16.427Z

Link: CVE-2026-41010

cve-icon Vulnrichment

Updated: 2026-06-04T12:49:24.391Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-04T04:17:10.037

Modified: 2026-06-04T15:35:18.623

Link: CVE-2026-41010

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T07:45:35Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')