CVE 8.7 HIGH

CVE-2026-41010_CVE-2026-41010

June 4, 2026 invoker category_cve
8.7 / 10
HIGH
CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Description

ReleaseJob#unpack builds job_dir = File.join(@release_dir, 'jobs', name) and job_tgz = File.join(@release_dir, 'jobs', "#{name}.tgz") where name returns @job_meta['name'], a value taken verbatim from the jobs: array of the attacker-supplied release.MF inside the uploaded tarball. These paths are then interpolated into a shell string: Bosh::Common::Exec.sh("tar -C #{job_dir} -xf #{job_tgz} 2>&1", :on_error => :return). Bosh::Common::Exec.sh executes via %x{#{command}} (bosh-common/lib/bosh/common/exec.rb:53), i.e. /bin/sh -c, so any shell metacharacters in name are interpreted. FileUtils.mkdir_p(job_dir) on line 49 creates the literal directory (no shell) and succeeds even when the name contains $()/;, so execution reaches the sh call.

Affected versions:
- BOSH Director: all versions prior to v282.1.12 (inclusive); fixed in v282.1.12 or later

AI Analysis

Command injection vulnerability in BOSH Director via ReleaseJob#unpack

Basic Information

ID CVE-2026-41010
Source vmware
Published Jun 4, 2026 at 02:27

Affected Product

Vendor Cloud Foundry Foundation
Product BOSH Director
Affected Versions Cloud Foundry Foundation BOSH Director 0

CWE Classification

CWE-78

AI Assessment

AI Score 8.7 / 10
AI Severity High
Vendor Cloud Foundry Foundation
Product BOSH Director
Version all versions prior to v282.1.12

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.