Description
setupBpmLogs follows symlink for bpm.log open and chown — container-to-host privilege escalation via /etc/shadow. A compromised process inside a bpm container can cause root to chown an arbitrary host file to vcap and append bpm JSON log lines to it. The chown alone lets the attacker take ownership of /etc/shadow and read every password hash on the host via the read-only /etc bind mount. This is a container-to-host confidentiality break affecting every bpm-managed job.

Affected versions: bpm-release, all versions prior to v1.4.30.
Published: 2026-06-18
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Cloud Foundry BPM release, where the setupBpmLogs script follows a symlink when opening bpm.log and changes its ownership. By exploiting this behavior, a process running inside a bpm container can change the ownership of arbitrary files on the host, including /etc/shadow. The attacker can then read all password hashes through the read‑only /etc bind mount, effectively compromising host credentials. The weakness is a classic path‑traversal and symlink‑following flaw (CWE‑59).

Affected Systems

Cloud Foundry Foundation BPM release, all versions before v1.4.30 are affected. The vulnerability impacts any bpm‑managed job that uses the default configuration.

Risk and Exploitability

The CVSS score of 6.8 indicates a moderate severity. While the EPSS score is not available, based on the description it is inferred that the attack does not require network exposure and is limited to a compromised process inside a bpm container, making it a container‑to‑host privilege escalation vector. The vulnerability is not listed in the CISA KEV catalog. An attacker with integrity or control over a bpm container can achieve local privilege escalation to host root and obtain sensitive credential information.

Generated by OpenCVE AI on June 18, 2026 at 22:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Cloud Foundry BPM release to v1.4.30 or later which removes the symlink following logic
  • If an immediate upgrade is not possible, remove the /etc/shadow bind mount from bpm containers to block read access to host password files
  • Enforce file system permissions to prevent containers from performing chown operations on host files

Generated by OpenCVE AI on June 18, 2026 at 22:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Cloudfoundry
Cloudfoundry bpm-release
Vendors & Products Cloudfoundry
Cloudfoundry bpm-release

Thu, 18 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Title Container-to-host privilege escalation via symlink in Cloud Foundry BPM setupBpmLogs

Thu, 18 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description setupBpmLogs follows symlink for bpm.log open and chown — container-to-host privilege escalation via /etc/shadow. A compromised process inside a bpm container can cause root to chown an arbitrary host file to vcap and append bpm JSON log lines to it. The chown alone lets the attacker take ownership of /etc/shadow and read every password hash on the host via the read-only /etc bind mount. This is a container-to-host confidentiality break affecting every bpm-managed job. Affected versions: bpm-release, all versions prior to v1.4.30.
Weaknesses CWE-59
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Cloudfoundry Bpm-release
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-18T19:08:11.771Z

Reserved: 2026-05-20T10:00:48.931Z

Link: CVE-2026-47833

cve-icon Vulnrichment

Updated: 2026-06-18T18:42:59.082Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:41:59Z

Weaknesses
  • CWE-59

    Improper Link Resolution Before File Access ('Link Following')