Lucene search

Cloud FoundryCFOUNDRY:060D9445888103D0A947E36946258D62

HistorySep 07, 2023 - 12:00 a.m.

CVE-2023-34041-Abuse of HTTP Hop-by-Hop Headers in Cloud Foundry Gorouter | Cloud Foundry

2023-09-0700:00:00

Cloud Foundry

www.cloudfoundry.org

cloud foundry

http hop-by-hop headers

vulnerability

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

0.001 Low

EPSS

Percentile

20.7%

JSON

Severity

Medium

Vendor

Cloud Foundry

Description

Cloud foundry routing release versions prior to 0.278.0 are vulnerable to abuse of HTTP Hop-by-Hop Headers. An unauthenticated attacker can use this vulnerability for headers like B3 or X-B3-SpanID to affect the identification value recorded in the logs in foundations.

Affected Cloud Foundry Products and Versions

*Severity is medium unless otherwise noted.

Routing
- All versions prior to 0.278.0
CF deployment
- All versions prior to 32.4.0

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below.

The Cloud Foundry project recommends upgrading the following releases:

Routing

* Upgrade all versions to 0.278.0 or greater

CF Deployment

* Upgrade all versions to 32.4.0 or greater

References

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:R/CR:X/IR:L/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:X/MI:L/MA:N&version=3.1

History

07/09/2023: Initial vulnerability report published.

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

0.001 Low

EPSS

Percentile

20.7%

JSON

Related for CFOUNDRY:060D9445888103D0A947E36946258D62