CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS
Percentile
32.6%
Severity
Medium
Vendor
Cloud Foundry Foundation
Description
Users on cf may override other users syslog drain credentials if they’re aware of the client certificate used for that syslog drain. This applies even if the drain has zero certs. This would allow the user to override the private key and add or modify a certificate authority used for the connection leading to Denial of Service attack or causing the drain to permit bad certificates.
Affected Cloud Foundry Products and Versions
Severity is medium unless otherwise noted.
Mitigation
Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:
** Credit**
This issue was reported by Felix Hambrecht.
References
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:H
History
2023-05-18: Initial vulnerability report published.