Severity

High

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

• routing-release
  • All versions prior to v0.163.0
• cf-release
  • All versions prior to v274
    • Please note: due to a bug in 274, it is not recommended for production use. Deployments should use v275 or later.

Description

In some applications, it is possible to append a combination of characters to the URL that will allow for an open redirect. An attacker could exploit as a phishing attack to gain access to user credentials or other sensitive data.

Mitigation

Users of affected versions should apply the following mitigations or upgrades:

• Releases that have fixed this issue include:
  • routing-release: 0.163.0 [1]
  • cf-release: 274 [2]
    • Please note: due to a bug in 274, it is not recommended for production use. Deployments should use v275 or later.

References

• [1] https://github.com/cloudfoundry-incubator/routing-release/releases
• [2] https://github.com/cloudfoundry/cf-release/releases

History

2017-09-25: Initial vulnerability report published.

2017-09-26: Note about cf-release v274 added.