Product:

Cf\-Deployment

(Cloudfoundry)
Repositories

Unknown:

This might be proprietary software.
#Vulnerabilities 34
Date Id Summary Products Score Patch Annotated
2019-04-25 CVE-2019-3801 Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the component. Cf\-Deployment, Credhub, Uaa_release 9.8
2018-05-15 CVE-2018-1262 Cloud Foundry Foundation UAA, versions 4.12.X and 4.13.X, introduced a feature which could allow privilege escalation across identity zones for clients performing offline validation. A zone administrator could configure their zone to issue tokens which impersonate another zone, granting up to admin privileges in the impersonated zone for clients performing offline token validation. Cf\-Deployment, Cloud_foundry_uaa, Cloud_foundry_uaa\-Release 7.2
2018-06-06 CVE-2018-1265 Cloud Foundry Diego, release versions prior to 2.8.0, does not properly sanitize file paths in tar and zip files headers. A remote attacker with CF admin privileges can upload a malicious buildpack that will allow a complete takeover of a Diego Cell VM and access to all apps running on that Diego Cell. Cf\-Deployment, Cloud_foundry_diego 7.2
2019-10-23 CVE-2019-11282 Cloud Foundry UAA, versions prior to v74.3.0, contains an endpoint that is vulnerable to SCIM injection attack. A remote authenticated malicious user with scim.invite scope can craft a request with malicious content which can leak information about users of the UAA. Cf\-Deployment, Cloud_foundry_uaa 4.3
2019-10-23 CVE-2019-11283 Cloud Foundry SMB Volume, versions prior to v2.0.3, accidentally outputs sensitive information to the logs. A remote user with access to the SMB Volume logs can discover the username and password for volumes that have been recently created, allowing the user to take control of the SMB Volume. Cf\-Deployment, Cloud_foundry_smb_volume 8.8
2019-12-19 CVE-2019-11294 Cloud Foundry Cloud Controller API (CAPI), version 1.88.0, allows space developers to list all global service brokers, including service broker URLs and GUIDs, which should only be accessible to admins. Capi\-Release, Cf\-Deployment 4.3
2018-03-19 CVE-2018-1221 In cf-deployment before 1.14.0 and routing-release before 0.172.0, the Cloud Foundry Gorouter mishandles WebSocket requests for AWS Application Load Balancers (ALBs) and some other HTTP-aware Load Balancers. A user with developer privileges could use this vulnerability to steal data or cause denial of service. Cf\-Deployment, Routing\-Release 8.1
2017-11-28 CVE-2017-14389 An issue was discovered in Cloud Foundry Foundation capi-release (all versions prior to 1.45.0), cf-release (all versions prior to v280), and cf-deployment (all versions prior to v1.0.0). The Cloud Controller does not prevent space developers from creating subdomains to an already existing route that belongs to a different user in a different org and space, aka an "Application Subdomain Takeover." Capi\-Release, Cf\-Deployment, Cf\-Release 6.5
2019-11-19 CVE-2019-11289 Cloud Foundry Routing, all versions before 0.193.0, does not properly validate nonce input. A remote unauthenticated malicious user could forge an HTTP route service request using an invalid nonce that will cause the Gorouter to crash. Cf\-Deployment, Routing\-Release N/A
2019-12-06 CVE-2019-11293 Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs client_secret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if authentication is provided via query parameters. Cf\-Deployment, User_account_and_authentication N/A