Description
A network man-in-the-middle between nats-sync and the BOSH director can steal the director credentials (Basic auth header or UAA client secret) and can tamper with the VM list that is written into the NATS authorization file. Stolen credentials grant administrative director access. UsersSync#bosh_api_response_body builds a Net::HTTP client with verify_mode = OpenSSL::SSL::VERIFY_NONE for every director call (/info, /deployments, /deployments/<name>/vms).

Affected versions:
- BOSH: all versions prior to v282.1.9 (inclusive); fixed in v282.1.9 or later
Published: 2026-06-04
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker performing a man‑in‑the‑middle between NATS Sync and the BOSH director to capture the director’s Basic authentication header or UAA client secret. It also enables tampering with the VM list that is written into the NATS authorization file. Stolen credentials provide full administrative access to the director. The weakness stems from an insecure SSL configuration (OpenSSL::SSL::VERIFY_NONE) in the Net::HTTP client, a classic example of CWE‑295.

Affected Systems

Cloud Foundry Foundation BOSH – all releases prior to v282.1.9 (inclusive) are affected. The issue was fixed in v282.1.9 or later releases.

Risk and Exploitability

With a CVSS score of 7.1 the vulnerability is rated as high. Exploitation requires network proximity to intercept traffic between NATS Sync and the director, which is likely in clustered or shared environments. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating no confirmed exploits in the wild as of this analysis. Nonetheless, the ability to obtain administrative credentials poses a significant risk to confidentiality, integrity, and availability for impacted deployments.

Generated by OpenCVE AI on June 4, 2026 at 03:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official BOSH update to v282.1.9 or later, which disables VERIFY_NONE and enforces TLS verification.
  • Configure NATS Sync to require mutual TLS authentication and verify the BOSH director’s certificate before establishing a connection.
  • Review and revoke any UAA client secrets or basic credentials that may have been exposed, then rotate all director credentials.

Generated by OpenCVE AI on June 4, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
First Time appeared Cloud Foundry
Cloud Foundry bosh
Vendors & Products Cloud Foundry
Cloud Foundry bosh

Thu, 04 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Title Missing TLS in NATS Sync Enables Credential Theft from BOSH Director

Thu, 04 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description A network man-in-the-middle between nats-sync and the BOSH director can steal the director credentials (Basic auth header or UAA client secret) and can tamper with the VM list that is written into the NATS authorization file. Stolen credentials grant administrative director access. UsersSync#bosh_api_response_body builds a Net::HTTP client with verify_mode = OpenSSL::SSL::VERIFY_NONE for every director call (/info, /deployments, /deployments/<name>/vms). Affected versions: - BOSH: all versions prior to v282.1.9 (inclusive); fixed in v282.1.9 or later
Weaknesses CWE-295
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Cloud Foundry Bosh
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-04T01:51:45.608Z

Reserved: 2026-04-22T06:22:10.082Z

Link: CVE-2026-41859

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T03:16:19.947

Modified: 2026-06-04T03:16:19.947

Link: CVE-2026-41859

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T04:00:04Z

Weaknesses