CVE-2016-8218: Unauthenticated JWT signing algorithm in routing
Critical
Cloud Foundry Foundation
Incomplete validation logic in JSON Web Token (JWT) libraries can allow unprivileged attackers to impersonate other users to the routing API.
OSS users of affected routing-release versions are strongly encouraged to:
OSS users of cf-release versions 203 to 231 are strongly encouraged to:
The issue was responsibly reported by a VMware team member.
[1] <https://github.com/cloudfoundry/cf-release/releases>
2016-12-09: Initial vulnerability report published
2016-12-15: Vulnerable software versions updated