The vulnerability occurs in the ReleaseJob#unpack method of BOSH Director, where the job name is extracted verbatim from the jobs array in the attacker-supplied release.MF inside an uploaded tarball. This name is used to construct file paths that are then interpolated into a shell command executed via /bin/sh -c. Because the shell command execution does not neutralize special shell metacharacters, an attacker can inject arbitrary commands through crafted job names. The directory creation step uses FileUtils.mkdir_p, which does not invoke the shell and thus succeeds even with malicious characters, allowing the exploit to reach the shell execution stage. This vulnerability affects all BOSH Director versions prior to v282.1.12, where it has been fixed.

Successful exploitation can lead to arbitrary command execution on the host running BOSH Director with high privileges, given the vulnerability requires high privileges and local access. This can compromise the integrity and confidentiality of the system and potentially allow an attacker to execute arbitrary OS commands. The CVSS 4.0 score is 8.7 (high severity), reflecting the complexity and required privileges but significant impact if exploited.

A fix is available in BOSH Director version v282.1.12 and later. Users should upgrade to this version or a later release to remediate the vulnerability. Since no vendor advisory or patch link is provided, users should consult official Cloud Foundry Foundation channels for the official patch and upgrade instructions. Until upgraded, avoid processing untrusted release tarballs or ensure strict validation and sanitization of job names to prevent injection.