2 matches found
CVE-2020-5418 Cloud Controller allows users with no roles to list droplets
Cloud Foundry CAPI Cloud Controller versions prior to 1.98.0 allow authenticated users having only the "cloudcontroller.read" scope, but no roles in any spaces, to list all droplets in all spaces whereas they should see none...
CVE-2020-5418
CVE-2020-5418 affects Cloud Foundry CAPI (Cloud Controller) versions before 1.98.0. Authentication with only cloud_controller.read and no space roles allows listing all droplets across all spaces (should be none). Root cause: insufficient authorization check exposing droplets to users without pro...