CVE-2019-1002101: Kubernetes kubectl - potential directory traversal | Cloud Foundry

Severity High Vendor Cloud Foundry Foundation Affected Cloud Foundry Products and Versions Cloud Foundry Container Runtime CFCR All versions prior to 0.31.0 Description A security issue was discovered with the Kubernetes kubectl cp command that could enable a directory traversal replacing or...

USN-3885-2: OpenSSH vulnerability | Cloud Foundry

Severity Low Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Description USN-3885-1 fixed vulnerabilities in OpenSSH. It was discovered that the fix for CVE-2019-6111 turned out to be incomplete. This update fixes the problem. Origina...

USN-4227-1: Linux kernel vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 16.04 Description It was discovered that a heap-based buffer overflow existed in the Marvell WiFi-Ex Driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service system crash or...

CVE-2019-11277: Volume Services is vulnerable to an LDAP injection attack | Cloud Foundry

Severity High Vendor Cloud Foundry Foundation Description Cloud Foundry NFS Volume Service, 1.7.x versions prior to 1.7.11 and 2.x versions prior to 2.3.0, is vulnerable to LDAP injection. A remote authenticated malicious space developer can potentially inject LDAP filters via service instance...

Cloud Foundry products uses vulnerable versions of Java | Cloud Foundry

Severity Critical Vendor Cloud Foundry Affected Cloud Foundry Products and Versions Severity is Critical unless otherwise noted. Credhub 1.7.x prior to 1.7.9 1.9.x prior to 1.9.9 2.1.x prior to 2.1.2 Java Buildpack All versions prior to 4.16.1 Ruby Buildpack All versions prior to 1.7.25 UAA Relea...

USN-3658-1: procps-ng vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description It was discovered that the procps-ng top utility incorrectly read its configuration file from the current working directory. A local attacker could possibly use this issue to escalate privileges...

CVE-2017-9805: Apache Struts Remote Code Execution | Cloud Foundry

Severity Advisory/Critical Vendor Apache Versions Affected Apache Struts 2: 2.3.x versions prior to 2.3.34 2.5.x versions prior to 2.5.13 Description An RCE attack is possible when using the Struts REST plugin with XStream handler to deserialise XML requests 1. Affected Cloud Foundry Products and...

Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45105 ) impact on Cloud Foundry Products | Cloud Foundry

Severity Critical Vendor Cloud Foundry Foundation Description A critical vulnerability in Apache Log4j identified by CVE-2021-44228 has been publicly disclosed . Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the ldap JNDI parser and may allow for remote...

USN-3045-1 PHP vulnerabilities | Cloud Foundry

USN-3045-1 PHP vulnerabilities Medium Vendor PHP Versions Affected Cloud Foundry PHP buildpack versions prior to 4.3.18 Note: The PHP buildpack is patched from upstream PHP source Description It was discovered that PHP incorrectly handled certain SplMinHeap::compare operations. A remote attacker...

USN-2966-1 OpenSSH vulnerabilities | Cloud Foundry

USN-2966-1 OpenSSH vulnerabilities Low Vendor Canonical Ubuntu, openssh Versions Affected Canonical Ubuntu 14.04 LTS Description Shayan Sadigh discovered that OpenSSH incorrectly handled environment files when the UseLogin feature is enabled. A local attacker could use this issue to gain...

USN-5995-1: Vim vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 18.04 Canonical Ubuntu 22.04 Description It was discovered that Vim incorrectly handled memory when opening certain files. If an attacker could trick a user into opening a specially crafted file, it could cause Vim to cras...

USN-5338-1: Linux kernel vulnerabilities | Cloud Foundry

Severity High Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 18.04 Description Yiqi Sun and Kevin Wang discovered that the cgroups implementation in the Linux kernel did not properly restrict access to the cgroups v1 releaseagent feature. A local attacker could use this to gain...

CVE-2019-3788: UAA redirect-uri allows wildcard in the subdomain | Cloud Foundry

Severity High Vendor Cloud Foundry Foundation Affected Cloud Foundry Products and Versions UAA Release OSS All versions prior to v71.0 Description Cloud Foundry UAA Release, versions prior to 71.0, allows clients to be configured with an insecure redirect uri. Given a UAA client was configured wi...

USN-3885-1: OpenSSH vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Description Harry Sintonen discovered multiple issus in the OpenSSH scp utility. If a user or automated system were tricked into connecting to an untrusted server, a remo...

Multiple PHP vulnerabilities | Cloud Foundry

Severity Medium Vendor PHP Versions Affected Cloud Foundry PHP buildpack versions prior to 4.3.29 Note: The PHP buildpack is patched from upstream PHP source Description It was discovered that PHP incorrectly handled certain arguments to the localegetdisplayname function. A remote attacker could...

USN-3871-4: Linux kernel (HWE) vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 16.04 Description USN-3871-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement HWE kernel from Ubuntu 18.04 LTS for Ubuntu 16.0...

USN-3641-1: Linux kernel vulnerabilities | Cloud Foundry

Severity High Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description Nick Peterson discovered that the Linux kernel did not properly handle debug exceptions following a MOV/POP to SS instruction. A local attacker could use this to cause a denial of service system crash. This...

CVE-2015-0235 - GHOST | Cloud Foundry

CVE-2015-0235 – GHOST Critical Vendor Canonical, Red Hat Versions Affected Ubuntu 10.04 Lucid, 12.04 Precise, CentOS 6. Description A heap-based buffer overflow was found in nsshostnamedigitsdots, which is used by the gethostbyname and gethostbyname2 glibc function call. A remote attacker could u...

CVE-2022-22965: UAA affected by Spring Framework RCE via Data Binding on JDK 9+ | Cloud Foundry

Severity Critical Vendor Cloud Foundry Foundation Description In Cloud Foundry UAA, a remote code execution vulnerability is present due to an issue in the Spring Framework identified by CVE-2022-22965. A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code...

USN-5210-1: Linux kernel vulnerabilities | Cloud Foundry

Severity High Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 18.04 Description Nadav Amit discovered that the hugetlb implementation in the Linux kernel did not perform TLB flushes under certain conditions. A local attacker could use this to leak or alter data from other processes tha...

USN-4705-1: Sudo vulnerabilities | Cloud Foundry

Severity High Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Description It was discovered that Sudo incorrectly handled memory when parsing command lines. A local attacker could possibly use this issue to obtain unintended access to the administrator...

USN-3095-1 PHP vulnerabilities | Cloud Foundry

USN-3095-1 PHP vulnerabilities Medium Vendor PHP Versions Affected Cloud Foundry PHP buildpack versions prior to 4.3.21 Note: The PHP buildpack is patched from upstream PHP source Description Taoguang Chen discovered that PHP incorrectly handled certain invalid objects when unserializing data. A...

USN-4041-1: Linux kernel update | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 16.04 Description USN-4017-1 fixed vulnerabilities in the Linux kernel for Ubuntu. Unfortunately, the update introduced a regression that interfered with networking applications that setup very low SOSNDBUF values. This...

USN-3967-1: FFmpeg vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 18.04 Description It was discovered that FFmpeg contained multiple security issues when handling certain multimedia files. If a user were tricked into opening a crafted multimedia file, an attacker could cause a denial of...

USN-3208-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry

Severity High Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 LTS Description It was discovered that the generic SCSI block layer in the Linux kernel did not properly restrict write operations in certain situations. A local attacker could use this to cause a denial of service...

CVE-2019-9946: Kubernetes affecting certain network configurations with CNI | Cloud Foundry

Severity Medium Vendor Cloud Foundry Foundation Affected Cloud Foundry Products and Versions Cloud Foundry Container Runtime CFCR All versions prior to 0.31.0 Description A security issue was discovered with interactions between the CNI Container Networking Interface portmap plugin versions prior...

USN-3863-1: APT vulnerability | Cloud Foundry

Severity High Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Description Max Justicz discovered that APT incorrectly handled certain parameters during redirects. If a remote attacker were able to perform a man-in-the-middle attack,...

USN-6560-1: OpenSSH vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 22.04 Description Fabian Bäumer, Marcus Brinkmann, Jörg Schwenk discovered that the SSH protocol was vulnerable to a prefix truncation attack. If a remote attacker was able to intercept SSH communications, extension...

USN-3809-2: OpenSSH regression | Cloud Foundry

Severity Unknown Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 18.04 Description USN-3809-1 fixed vulnerabilities in OpenSSH. The update for CVE-2018-15473 was incomplete and could introduce a regression in certain environments. This update fixes the problem. We apologize for the...

USN-4095-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description USN-4095-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement HWE kernel from Ubuntu 16.04 LTS for Ubuntu 14.0...

CVE-2019-3784: Stratos contains a Session Collision Vulnerability | Cloud Foundry

Severity High Vendor Cloud Foundry Foundation Affected Cloud Foundry Products and Versions Stratos All versions prior to 2.3.0 Description Cloud Foundry Stratos, versions prior to 2.3.0, contains an insecure session that can be spoofed. When deployed on cloud foundry with multiple instances using...

USN-3882-1: curl vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Description Wenxiang Qian discovered that curl incorrectly handled certain NTLM authentication messages. A remote attacker could possibly use this issue to cause curl to...

USN-3993-1: curl vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Description Wenchao Li discovered that curl incorrectly handled memory in the curlurlset function. A remote attacker could use this issue to cause curl to crash, resulting in a denial of servic...

USN-2970-1 Linux kernel (Vivid HWE) vulnerabilities | Cloud Foundry

USN-2970-1 Linux kernel Vivid HWE vulnerabilities Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 LTS Description Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An...

USN-3392-2: Linux kernel (Xenial HWE) regression | Cloud Foundry

Severity High Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description USN-3392-1 fixed a regression in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement HWE kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS...

USN-3123-1: curl vulnerabilities | Cloud Foundry

USN-3123-1: curl vulnerabilities Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 LTS Description It was discovered that curl incorrectly reused client certificates when built with NSS. A remote attacker could possibly use this issue to hijack the authentication of a TLS...

| Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 22.04 Description It was discovered that libwebp incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image file, a remote attacker could use this issue ...

Various CVEs: UAA consumes vulnerable versions of FasterXML jackson-databind | Cloud Foundry

Severity Critical Vendor Cloud Foundry Foundation Description Cloud Foundry UAA, versions prior to 74.7.0, contain a dependency on a vulnerable version of FasterXML jackson-databind. These issues have the CVEs CVE-2019-17531, CVE-2019-14379, CVE-2019-16942, CVE-2019-14540, CVE-2019-17267,...

USN-3128-2: Linux kernel (Xenial HWE) vulnerability | Cloud Foundry

USN-3128-2: Linux kernel Xenial HWE vulnerability Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 LTS Description Ondrej Kozina discovered that the keyring interface in the Linux kernel contained a buffer overflow when displaying timeout events via the /proc/keys interface...

CVE-2017-14389: Application Subdomain Takeover via Cloud Foundry Private Domains | Cloud Foundry

Severity High Vendor Cloud Foundry Foundation Affected Cloud Foundry Products and Versions capi-release All versions prior to 1.45.0 cf-release All versions prior to v280 cf-deployment All versions prior to v1.0.0 Description The Cloud Controller does not prevent space developers from creating...

USN-6039-1: OpenSSL vulnerabilities | Cloud Foundry

Severity Low Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Canonical Ubuntu 22.04 Description It was discovered that OpenSSL was not properly managing file locks when processing policy constraints. If a user or automated system were tricked into processin...

USN-6026-1: Vim vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 18.04 Canonical Ubuntu 22.04 Description It was discovered that Vim was incorrectly processing Vim buffers. An attacker could possibly use this issue to perform illegal memory access and expose sensitive information. This...

USN-5298-1: Linux kernel vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Description It was discovered that the Packet network protocol implementation in the Linux kernel contained a double-free vulnerability. A local attacker could use this to cause a denial of...

USN-4351-1: Linux firmware vulnerability | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 16.04 Description Eli Biham and Lior Neumann discovered that certain Bluetooth devices incorrectly validated key exchange parameters. An attacker could possibly use this issue to obtain sensitive information. CVEs containe...

USN-4127-1: Python vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Description It was discovered that Python incorrectly handled certain pickle files. An attacker could possibly use this issue to consume memory, leading to a denial of service. This issue only...

USN-6557-1: Vim vulnerabilities | Cloud Foundry

Severity Unknown Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Canonical Ubuntu 22.04 Description It was discovered that Vim could be made to dereference invalid memory. An attacker could possibly use this issue to cause a denial of service. This issue on...

USN-4094-1: Linux kernel vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 16.04 Description It was discovered that the alarmtimer implementation in the Linux kernel contained an integer overflow vulnerability. A local attacker could use this to cause a denial of service. CVE-2018-13053 Wen Xu...

CVE-2019-3789: Gorouter allows space developer to hijack route services hosted outside the platform | Cloud Foundry

Severity High Vendor Cloud Foundry Foundation Affected Cloud Foundry Products and Versions CF Routing All versions prior to 0.188.0 Description Cloud Foundry Routing Release, all versions prior to 0.188.0, contains a vulnerability that can hijack the traffic to route services hosted outside the...

CVE-2019-3782: CredHub CLI writes environment variable credentials to disk | Cloud Foundry

Severity Medium Vendor Cloud Foundry Foundation Affected Cloud Foundry Products and Versions CredHub CLI All versions prior to 2.2.1 Description Cloud Foundry CredHub CLI, versions prior to 2.2.1, inadvertently writes authentication credentials provided via environment variables to its persistent...

USN-3540-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry

Severity Critical Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description USN-3540-1 addressed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement HWE kernel from Ubuntu 16.04 LTS for Ubunt...