Severity

Medium

Vendor

Cloud Foundry Foundation

Description

A vulnerability has been discovered in the gorouter process that allows a cross-site-scripting (XSS) attack. Should a malicious actor intermediate requests from clients to the router, modifying the request to contain malicious code, this code could be executed on the operating system of the client from where the request originated. To our knowledge, this vulnerability does not pose a risk for penetration or takeover of Cloud Foundry system components or applications hosted by Cloud Foundry.

Affected Cloud Foundry Products and Versions

• cf-release v141 – v228

Mitigation

The Cloud Foundry project recommends that Cloud Foundry Deployments using Gorouter are upgraded to cf-release v229.

Credit

Fujitsu Limited

References

• <https://github.com/cloudfoundry/cf-release/releases/tag/v229&gt;

History

2016-Feb-01: CVE details shared with cf-dev mailing list

2017-Sep-08: Initial vulnerability report published