CVE-2026-47833

CVE-2026-47833 PUBLISHED

Assigner: vmware
Reserved: 20.05.2026 Published: 18.06.2026 Updated: 18.06.2026

setupBpmLogs follows symlink for bpm.log open and chown — container-to-host privilege escalation via /etc/shadow. A compromised process inside a bpm container can cause root to chown an arbitrary host file to vcap and append bpm JSON log lines to it. The chown alone lets the attacker take ownership of /etc/shadow and read every password hash on the host via the read-only /etc bind mount. This is a container-to-host confidentiality break affecting every bpm-managed job.

Affected versions: bpm-release, all versions prior to v1.4.30.

Metrics

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CVSS Score: 6.1

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 6.8

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	Low	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	Cloud Foundry Foundation
Product	bpm-release
Versions	Default: unaffected affected from 0 to 1.4.30 (excl.)

Vendor

Cloud Foundry Foundation

Product

bpm-release

Versions

Default: unaffected

affected from 0 to 1.4.30 (excl.)

References

Problem Types

CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE

Impacts

A low-privileged process inside a bpm container can cause root to chown /etc/shadow to vcap, enabling the attacker to read all host password hashes (High Confidentiality, Low Integrity impact) via the read-only /etc bind mount.