CVE-2017-8034

The Cloud Controller and Router in Cloud Foundry (CAPI-release capi versions prior to v1.32.0, Routing-release versions prior to v0.159.0, CF-release versions prior to v267) do not validate the issuer on JSON Web Tokens (JWTs) from UAA. With certain multi-zone UAA configurations, zone administrators are able to escalate their privileges.

Published : 2017-07-17 14:29 Updated : 2019-10-03 00:03

6.0
CVSS Score More info
Score 6.0 / 10
6.0
Vendor Product Version URI
Cloudfoundry Capi-release 1.31.0 cpe:/a:cloudfoundry:capi-release:1.31.0
Cloudfoundry Cf-release 266 cpe:/a:cloudfoundry:cf-release:266
Cloudfoundry Routing-release 0.158.0 cpe:/a:cloudfoundry:routing-release:0.158.0
  1. Cloudfoundry (3) Search CVE
    1. Routing-release (1) Search CVE
      1. 0.158.0
    2. Cf-release (1) Search CVE
      1. 266
    3. Capi-release (1) Search CVE
      1. 1.31.0

CWE

ID Name Description Links
CWE-565 Reliance on Cookies without Validation and Integrity Checking The application relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user. CVE

Reference

History of changes

Date Event
2019-10-03 00:03
2017-11-08 12:58
2017-07-31 12:16
2017-07-17 14:29

New CVE