15 matches found
CVE-2017-14389
CVE-2017-14389 affects Cloud Foundry Foundation components capi-release (all versions < 1.45.0), cf-release (all versions < v280), and cf-deployment (all versions
CVE-2020-5423
CVE-2020-5423 affects Cloud Foundry’s CAPI (Cloud Controller): versions prior to 1.101.0 are vulnerable to a denial-of-service caused by an unauthenticated attacker sending specially-crafted YAML to certain endpoints, triggering the YAML parser to consume excessive CPU and RAM. Reported as a high...
CVE-2021-22100
CVE-2021-22100 affects Cloud Foundry CAPI versions prior to 1.122. A misbehaving service broker can cause Cloud Controller (CAPI) instances to timeout, leading to an inability to push or manage applications (Denial of Service). The public sources describe the issue and confirm affected releases i...
CVE-2021-22115
CVE-2021-22115 affects Cloud Foundry Cloud Controller API prior to version 1.106.0. The vulnerability arises because the CAPI database logs service broker passwords in plain text when a job to clean up orphaned items runs, exposing credentials if log access is compromised. Affected product/versio...
CVE-2020-5417
CVE-2020-5417 affects Cloud Foundry CAPI (Cloud Controller) versions prior to 1.97.0 when an app domain is also the system domain (as in default CF deployments). The issue allows a developer’s app to maliciously or accidentally claim sensitive routes that were intended for system components, pote...
CVE-2021-22101
CVE-2021-22101 affects Cloud Foundry Cloud Controller prior to 1.118.0. It enables unauthenticated DoS by sending REST HTTP requests with label_selectors on multiple V3 endpoints, generating an enormous SQL query that can render the ccdb unavailable. Affected products include CAPI (pre-1.118.0) a...
CVE-2018-1266
CVE-2018-1266 affects Cloud Foundry Cloud Controller prior to version 1.52.0. The vulnerability allows an authenticated attacker to perform path traversal to locate application blobs and overwrite arbitrary files on the Cloud Controller, resulting in information disclosure and potential modificat...
CVE-2017-8033
The CVE-2017-8033 issue affects Cloud Foundry’s Cloud Controller API in capi-release v1.33.0+ and cf-release v268+ (pre-v1.35.0 and pre-v268 respectively), where a filesystem-traversal flaw lets a space developer write arbitrary files on the Cloud Controller VM by pushing a crafted app. The origi...
CVE-2018-1195
Cloud Controller (Cloud Foundry) is affected. The vulnerability (CVE-2018-1195) occurs when Cloud Controller versions prior to 1.46.0, cf-deployment prior to 1.3.0, and cf-release prior to 283 accept refresh tokens for authentication in contexts where an access token is expected. Root cause: refr...
CVE-2020-5418
CVE-2020-5418 affects Cloud Foundry CAPI (Cloud Controller) versions before 1.98.0. Authentication with only cloud_controller.read and no space roles allows listing all droplets across all spaces (should be none). Root cause: insufficient authorization check exposing droplets to users without pro...
CVE-2016-8219
The CVE affects Cloud Foundry Foundation cf-release before 250 and CAPI-release before 1.12.0. The vulnerability arises because a SpaceAuditor can restage applications, enabling over-privileged actions that could cause application downtime if restaging fails. Mitigation is to upgrade cf-release t...
CVE-2019-3785
CVE-2019-3785 affects Cloud Foundry Cloud Controller before 1.78.0. An endpoint with improper authorization lets a remote authenticated user with read permissions request package information and obtain a signed bit-service URL that grants write permissions to the bit-service. The issue’s impact i...
CVE-2016-2169
Cloud Foundry CVE-2016-2169 affects Cloud Foundry Cloud Controller: capi-release versions before 1.0.0 and cf-release versions before v237. The issue is a business-logic flaw where an application could create a route that conflicts with a platform service route, causing traffic intended for the s...
CVE-2019-3798
Cloud Foundry Cloud Controller API (CAPI) prior to version 1.79.0 is affected by an improper authentication flaw in permission validation. A remote authenticated attacker who can create UAA clients and knows a victim’s email can escalate privileges to that victim by creating a client whose name m...
CVE-2020-5400
CVE-2020-5400 affects Cloud Foundry Cloud Controller (CAPI) prior to 1.91.0. The issue arises because background-job logging may capture environment properties (e.g., credentials) from app manifests, enabling a malicious user with access to logs to exfiltrate sensitive credentials. Public referen...