Cf-deployment Security Vulnerabilities and Issues — Cf-deployment CVE List

Lucene search

CloudfoundryCf-deployment

7 matches found

CVE•added 2018/05/15 8:29 p.m.•53 views

CVE-2018-1262

Cloud Foundry Foundation UAA, versions 4.12.X and 4.13.X, introduced a feature which could allow privilege escalation across identity zones for clients performing offline validation. A zone administrator could configure their zone to issue tokens which impersonate another zone, granting up to admin...

7.2CVSS7AI score0.00428EPSS

CVE•added 2018/03/19 6:29 p.m.•40 views

CVE-2018-1221

In cf-deployment before 1.14.0 and routing-release before 0.172.0, the Cloud Foundry Gorouter mishandles WebSocket requests for AWS Application Load Balancers (ALBs) and some other HTTP-aware Load Balancers. A user with developer privileges could use this vulnerability to steal data or cause denial...

8.1CVSS7.9AI score0.00376EPSS

CVE•added 2018/05/23 3:29 p.m.•39 views

CVE-2018-1193

Cloud Foundry routing-release, versions prior to 0.175.0, lacks sanitization for user-provided X-Forwarded-Proto headers. A remote user can set the X-Forwarded-Proto header in a request to potentially bypass an application requirement to only respond over secure connections.

5.3CVSS5.2AI score0.00169EPSS

CVE•added 2018/04/30 8:29 p.m.•39 views

CVE-2018-1277

Cloud Foundry Garden-runC, versions prior to 1.13.0, does not correctly enforce disc quotas for Docker image layers. A remote authenticated user may push an app with a malicious Docker image that will consume more space on a Diego cell than allocated in their quota, potentially causing a DoS agains...

6.5CVSS6.2AI score0.00515EPSS

CVE•added 2018/03/19 6:29 p.m.•36 views

CVE-2018-1195

In Cloud Controller versions prior to 1.46.0, cf-deployment versions prior to 1.3.0, and cf-release versions prior to 283, Cloud Controller accepts refresh tokens for authentication where access tokens are expected. This exposes a vulnerability where a refresh token that would otherwise be insuffic...

8.8CVSS8.7AI score0.00287EPSS

CVE•added 2018/06/06 8:29 p.m.•36 views

CVE-2018-1265

Cloud Foundry Diego, release versions prior to 2.8.0, does not properly sanitize file paths in tar and zip files headers. A remote attacker with CF admin privileges can upload a malicious buildpack that will allow a complete takeover of a Diego Cell VM and access to all apps running on that Diego C...

7.2CVSS6.9AI score0.00682EPSS

CVE•added 2018/03/29 8:29 p.m.•30 views

CVE-2018-1191

Cloud Foundry Garden-runC, versions prior to 1.11.0, contains an information exposure vulnerability. A user with access to Garden logs may be able to obtain leaked credentials and perform authenticated actions using those credentials.

8.8CVSS8.3AI score0.00364EPSS