Product:

Cf\-Deployment

(Cloudfoundry)
Repositories

Unknown:

This might be proprietary software.
#Vulnerabilities 34
Date Id Summary Products Score Patch Annotated
2023-05-19 CVE-2023-20881 Cloud foundry instances having CAPI version between 1.140 and 1.152.0 along with loggregator-agent v7+ may override other users syslog drain credentials if they're aware of the client certificate used for that syslog drain. This applies even if the drain has zero certs. This would allow the user to override the private key and add or modify a certificate authority used for the connection. Capi\-Release, Cf\-Deployment, Loggregator\-Agent 8.1
2023-05-26 CVE-2023-20882 In Cloud foundry routing release versions from 0.262.0 and prior to 0.266.0,a bug in the gorouter process can lead to a denial of service of applications hosted on Cloud Foundry. Under the right circumstances, when client connections are closed prematurely, gorouter marks the currently selected backend as failed and removes it from the routing pool. Cf\-Deployment, Routing_release 5.9
2023-09-08 CVE-2023-34041 Cloud foundry routing release versions prior to 0.278.0 are vulnerable to abuse of HTTP Hop-by-Hop Headers. An unauthenticated attacker can use this vulnerability for headers like B3 or X-B3-SpanID to affect the identification value recorded in the logs in foundations. Cf\-Deployment, Routing\-Release 5.3
2024-06-10 CVE-2024-22279 Improper handling of requests in Routing Release > v0.273.0 and <= v0.297.0 allows an unauthenticated attacker to degrade the service availability of the Cloud Foundry deployment if performed at scale. Cf\-Deployment, Routing_release 7.5
2019-11-26 CVE-2019-11290 Cloud Foundry UAA Release, versions prior to v74.8.0, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well. Cf\-Deployment, User_account_and_authentication 7.5
2018-03-19 CVE-2018-1195 In Cloud Controller versions prior to 1.46.0, cf-deployment versions prior to 1.3.0, and cf-release versions prior to 283, Cloud Controller accepts refresh tokens for authentication where access tokens are expected. This exposes a vulnerability where a refresh token that would otherwise be insufficient to obtain an access token, either due to lack of client credentials or revocation, would allow authentication. Capi\-Release, Cf\-Deployment, Cf\-Release 8.8
2019-04-25 CVE-2019-3801 Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the component. Cf\-Deployment, Credhub, Uaa_release 9.8
2018-05-15 CVE-2018-1262 Cloud Foundry Foundation UAA, versions 4.12.X and 4.13.X, introduced a feature which could allow privilege escalation across identity zones for clients performing offline validation. A zone administrator could configure their zone to issue tokens which impersonate another zone, granting up to admin privileges in the impersonated zone for clients performing offline token validation. Cf\-Deployment, Cloud_foundry_uaa, Cloud_foundry_uaa\-Release 7.2
2018-06-06 CVE-2018-1265 Cloud Foundry Diego, release versions prior to 2.8.0, does not properly sanitize file paths in tar and zip files headers. A remote attacker with CF admin privileges can upload a malicious buildpack that will allow a complete takeover of a Diego Cell VM and access to all apps running on that Diego Cell. Cf\-Deployment, Cloud_foundry_diego 7.2
2019-10-23 CVE-2019-11282 Cloud Foundry UAA, versions prior to v74.3.0, contains an endpoint that is vulnerable to SCIM injection attack. A remote authenticated malicious user with scim.invite scope can craft a request with malicious content which can leak information about users of the UAA. Cf\-Deployment, Cloud_foundry_uaa 4.3