Medium
Cloud Foundry Foundation
A vulnerability has been discovered in the gorouter process that allows a cross-site-scripting (XSS) attack. Should a malicious actor intermediate requests from clients to the router, modifying the request to contain malicious code, this code could be executed on the operating system of the client from where the request originated. To our knowledge, this vulnerability does not pose a risk for penetration or takeover of Cloud Foundry system components or applications hosted by Cloud Foundry.
The Cloud Foundry project recommends that Cloud Foundry Deployments using Gorouter are upgraded to cf-release v229.
Fujitsu Limited
2016-Feb-01: CVE details shared with cf-dev mailing list
2017-Sep-08: Initial vulnerability report published