Impact
The vulnerability stems from argument injection in the BOSH CLI, allowing an attacker who compromises the BOSH Director to inject arbitrary OpenSSH options into a locally spawned ssh process. When an operator runs non‑interactive SSH commands such as bosh ssh -c or bosh logs -f, these unintended options are applied, causing the operator’s machine to execute arbitrary local commands. This represents an Argument Injection flaw that can lead to remote code execution on the workstation even though the attacker does not directly control the operator’s terminal.
Affected Systems
CloudFoundry Foundation’s BOSH CLI is affected, specifically all releases earlier than version 7.10.4. Operators using these older versions should be aware that the CLI’s handling of SSH options is insecure until they upgrade.
Risk and Exploitability
The CVSS score of 7.7 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog, implying no active, publicly known exploitation attempts. The likely attack vector requires the attacker to compromise the BOSH Director and then trick an operator into using the vulnerable cmd line paths, which requires privileged access to the Director’s configuration or ssh keys. Even with limited exploitation probability, the impact of local command execution on an operator workstation is significant, potentially enabling data exfiltration, credential theft, or further lateral movement.
OpenCVE Enrichment