Impact
The BOSH CLI tool’s handling of the ‘path’ key in blobs.yml contains a path traversal flaw that lets attackers craft a value that causes the CLI to write arbitrary files outside its intended directory. Based on the description, it is inferred that this could facilitate overwriting configuration files, injecting malicious code, or exfiltrating secrets, which aligns with CWE‑22 and CWE‑788. The vulnerability therefore compromises integrity and could lead to remote code execution if the written files are executed.
Affected Systems
The CloudFoundry Foundation BOSH Command Line Interface is affected. Versions earlier than v7.10.4 are vulnerable; any installation that processes user‑supplied blobs.yml files without the patch is at risk.
Risk and Exploitability
The CVSS score of 8.5 marks the flaw as high severity, while the EPSS score of below 1% indicates a low current exploitation rate and the issue is not yet identified in CISA's KEV catalog. Based on the information provided, it is inferred that an attacker capable of supplying or influencing the CLI’s input—potentially through malicious buildpacks, compromised developer machines, or insecure scripts—could exercise the path traversal to write arbitrary files, potentially leading to code execution or data loss.
OpenCVE Enrichment