Impact
The vulnerability resides in the Cloud Foundry BPM release, where the setupBpmLogs script follows a symlink when opening bpm.log and changes its ownership. By exploiting this behavior, a process running inside a bpm container can change the ownership of arbitrary files on the host, including /etc/shadow. The attacker can then read all password hashes through the read‑only /etc bind mount, effectively compromising host credentials. The weakness is a classic path‑traversal and symlink‑following flaw (CWE‑59).
Affected Systems
Cloud Foundry Foundation BPM release, all versions before v1.4.30 are affected. The vulnerability impacts any bpm‑managed job that uses the default configuration.
Risk and Exploitability
The CVSS score of 6.8 indicates a moderate severity. While the EPSS score is not available, based on the description it is inferred that the attack does not require network exposure and is limited to a compromised process inside a bpm container, making it a container‑to‑host privilege escalation vector. The vulnerability is not listed in the CISA KEV catalog. An attacker with integrity or control over a bpm container can achieve local privilege escalation to host root and obtain sensitive credential information.
OpenCVE Enrichment