Capi-release Security Vulnerabilities and Issues — Capi-release CVE List

CloudfoundryCapi-release

22 matches found

CVE•added 2019/12/19 7:35 p.m.•82 views

CVE-2019-11294

Summary: CVE-2019-11294 affects Cloud Foundry Cloud Controller API (CAPI) version 1.88.0, where space developers can list all global service brokers, exposing broker URLs and GUIDs that should be admin-only. The issue is a disclosure/Access Control problem within CAPI, enabling unauthorized visib...

4.3CVSS4.6AI score0.00778EPSS

CVE•added 2017/11/28 7:0 a.m.•75 views

CVE-2017-14389

CVE-2017-14389 affects Cloud Foundry Foundation components capi-release (all versions < 1.45.0), cf-release (all versions < v280), and cf-deployment (all versions

6.5CVSS6.3AI score0.00945EPSS

CVE•added 2020/12/02 1:55 a.m.•71 views

CVE-2020-5423

CVE-2020-5423 affects Cloud Foundry’s CAPI (Cloud Controller): versions prior to 1.101.0 are vulnerable to a denial-of-service caused by an unauthenticated attacker sending specially-crafted YAML to certain endpoints, triggering the YAML parser to consume excessive CPU and RAM. Reported as a high...

7.8CVSS7.5AI score0.01131EPSS

CVE•added 2022/03/25 6:2 p.m.•66 views

CVE-2021-22100

CVE-2021-22100 affects Cloud Foundry CAPI versions prior to 1.122. A misbehaving service broker can cause Cloud Controller (CAPI) instances to timeout, leading to an inability to push or manage applications (Denial of Service). The public sources describe the issue and confirm affected releases i...

5.3CVSS5.2AI score0.0088EPSS

CVE•added 2020/08/21 9:50 p.m.•63 views

CVE-2020-5417

CVE-2020-5417 affects Cloud Foundry CAPI (Cloud Controller) versions prior to 1.97.0 when an app domain is also the system domain (as in default CF deployments). The issue allows a developer’s app to maliciously or accidentally claim sensitive routes that were intended for system components, pote...

8.8CVSS8.7AI score0.00986EPSS

CVE•added 2021/04/08 5:28 p.m.•62 views

CVE-2021-22115

CVE-2021-22115 affects Cloud Foundry Cloud Controller API prior to version 1.106.0. The vulnerability arises because the CAPI database logs service broker passwords in plain text when a job to clean up orphaned items runs, exposing credentials if log access is compromised. Affected product/versio...

6.5CVSS6.4AI score0.00836EPSS

CVE•added 2023/05/19 12:0 a.m.•56 views

CVE-2023-20881

CVE-2023-20881 affects Cloud Foundry CAPI versions 1.140–1.152.0 and Loggregator-agent v7+. The issue allows a user who knows the syslog drain client certificate to override other users’ syslog drain credentials, potentially altering the private key or adding/modifying a Certificate Authority use...

8.1CVSS8AI score0.00362EPSS

CVE•added 2021/10/27 2:18 p.m.•53 views

CVE-2021-22101

CVE-2021-22101 affects Cloud Foundry Cloud Controller prior to 1.118.0. It enables unauthenticated DoS by sending REST HTTP requests with label_selectors on multiple V3 endpoints, generating an enormous SQL query that can render the ccdb unavailable. Affected products include CAPI (pre-1.118.0) a...

7.5CVSS7.7AI score0.00972EPSS

CVE•added 2017/07/25 4:0 a.m.•51 views

CVE-2017-8033

The CVE-2017-8033 issue affects Cloud Foundry’s Cloud Controller API in capi-release v1.33.0+ and cf-release v268+ (pre-v1.35.0 and pre-v268 respectively), where a filesystem-traversal flaw lets a space developer write arbitrary files on the Cloud Controller VM by pushing a crafted app. The origi...

7.8CVSS7.5AI score0.01018EPSS

CVE•added 2018/03/27 4:0 p.m.•51 views

CVE-2018-1266

CVE-2018-1266 affects Cloud Foundry Cloud Controller prior to version 1.52.0. The vulnerability allows an authenticated attacker to perform path traversal to locate application blobs and overwrite arbitrary files on the Cloud Controller, resulting in information disclosure and potential modificat...

8.1CVSS7.6AI score0.01137EPSS

CVE•added 2017/08/21 10:0 p.m.•49 views

CVE-2017-8037

CVE-2017-8037 affects Cloud Foundry: CAPI-release v1.6.0+ up to < v1.38.0 and cf-release v244+ up to

7.5CVSS7.6AI score0.01415EPSS

CVE•added 2018/03/19 6:0 p.m.•49 views

CVE-2018-1195

Cloud Controller (Cloud Foundry) is affected. The vulnerability (CVE-2018-1195) occurs when Cloud Controller versions prior to 1.46.0, cf-deployment prior to 1.3.0, and cf-release prior to 283 accept refresh tokens for authentication in contexts where an access token is expected. Root cause: refr...

8.8CVSS8.7AI score0.0099EPSS

CVE•added 2017/01/13 9:0 a.m.•48 views

CVE-2016-9882

CVE-2016-9882 affects Cloud Foundry cf-release before v250 and CAPI-release before v1.12.0. The issue is that Cloud Foundry logs credentials returned from service brokers in Cloud Controller system component logs; these logs are written to disk and often forwarded to log aggregators via syslog. T...

7.5CVSS7.4AI score0.01687EPSS

CVE•added 2017/07/17 2:0 p.m.•48 views

CVE-2017-8034

CVE-2017-8034 affects Cloud Foundry components: Cloud Controller and Router in CAPI release capi < v1.32.0, Routing-release < v0.159.0, CF-release

6.6CVSS6.5AI score0.00751EPSS

CVE•added 2020/09/03 1:10 a.m.•48 views

CVE-2020-5418

CVE-2020-5418 affects Cloud Foundry CAPI (Cloud Controller) versions before 1.98.0. Authentication with only cloud_controller.read and no space roles allows listing all droplets across all spaces (should be none). Root cause: insufficient authorization check exposing droplets to users without pro...

4.3CVSS4.2AI score0.00575EPSS

CVE•added 2017/06/13 6:0 a.m.•46 views

CVE-2016-8219

The CVE affects Cloud Foundry Foundation cf-release before 250 and CAPI-release before 1.12.0. The vulnerability arises because a SpaceAuditor can restage applications, enabling over-privileged actions that could cause application downtime if restaging fails. Mitigation is to upgrade cf-release t...

6.5CVSS6.3AI score0.00974EPSS

CVE•added 2017/07/25 4:0 a.m.•44 views

CVE-2017-8035

CVE-2017-8035 targets the Cloud Controller API in Cloud Foundry Foundation CAPI-release versions after v1.6.0 and before v1.35.0 (and cf-release after v244 and before v268). A carefully crafted CAPI request from a Space Developer can gain access to files on the Cloud Controller VM for that instal...

7.5CVSS7.4AI score0.01387EPSS

CVE•added 2019/03/13 10:0 p.m.•44 views

CVE-2019-3785

CVE-2019-3785 affects Cloud Foundry Cloud Controller before 1.78.0. An endpoint with improper authorization lets a remote authenticated user with read permissions request package information and obtain a signed bit-service URL that grants write permissions to the bit-service. The issue’s impact i...

8.1CVSS6.9AI score0.01294EPSS

CVE•added 2017/07/24 6:0 p.m.•43 views

CVE-2017-8036

CVE-2017-8036 affects Cloud Foundry Foundation Cloud Controller API via a regression introduced by the fix for CVE-2017-8033 in CAPI-release 1.33.0 (only). A space developer can push a crafted app to execute arbitrary code on the Cloud Controller VM. The issue, tied to the same regression path as...

7.8CVSS7.7AI score0.01425EPSS

CVE•added 2020/02/27 7:30 p.m.•43 views

CVE-2020-5400

CVE-2020-5400 affects Cloud Foundry Cloud Controller (CAPI) prior to 1.91.0. The issue arises because background-job logging may capture environment properties (e.g., credentials) from app manifests, enabling a malicious user with access to logs to exfiltrate sensitive credentials. Public referen...

8CVSS6.7AI score0.00753EPSS

CVE•added 2018/04/18 4:0 p.m.•42 views

CVE-2016-2169

Cloud Foundry CVE-2016-2169 affects Cloud Foundry Cloud Controller: capi-release versions before 1.0.0 and cf-release versions before v237. The issue is a business-logic flaw where an application could create a route that conflicts with a platform service route, causing traffic intended for the s...

5.3CVSS5.2AI score0.01003EPSS

CVE•added 2019/04/17 1:32 p.m.•42 views

CVE-2019-3798

Cloud Foundry Cloud Controller API (CAPI) prior to version 1.79.0 is affected by an improper authentication flaw in permission validation. A remote authenticated attacker who can create UAA clients and knows a victim’s email can escalate privileges to that victim by creating a client whose name m...

7.5CVSS6.7AI score0.01365EPSS