CVE |
Vendors |
Products |
Updated |
CVSS |
CVE-2019-3801 |
1 Cloudfoundry |
2 Cf-deployment, Uaa Release |
2019-10-09 |
5.0 |
Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and... |
CVE-2019-3798 |
1 Cloudfoundry |
1 Capi-release |
2019-10-09 |
6.0 |
Cloud Foundry Cloud Controller API Release, versions prior to 1.79.0, contains improper authentication when validating user permissions. A remote authenticated malicious user with the ability to create UAA clients and knowledge of the email of a... |
CVE-2019-3789 |
1 Cloudfoundry |
1 Routing Release |
2019-10-09 |
4.0 |
Cloud Foundry Routing Release, all versions prior to 0.188.0, contains a vulnerability that can hijack the traffic to route services hosted outside the platform. A user with space developer permissions can create a private domain that shadows the... |
CVE-2019-3788 |
1 Cloudfoundry |
1 Uaa Release |
2019-10-09 |
5.8 |
Cloud Foundry UAA Release, versions prior to 71.0, allows clients to be configured with an insecure redirect uri. Given a UAA client was configured with a wildcard in the redirect uri's subdomain, a remote malicious unauthenticated user can craft... |
CVE-2019-3786 |
1 Cloudfoundry |
1 Bosh Backup And Restore |
2019-10-09 |
4.0 |
Cloud Foundry BOSH Backup and Restore CLI, all versions prior to 1.5.0, does not check the authenticity of backup scripts in BOSH. A remote authenticated malicious user can modify the metadata file of a Bosh Backup and Restore job to request... |
CVE-2019-3784 |
1 Cloudfoundry |
1 Stratos |
2019-10-09 |
4.0 |
Cloud Foundry Stratos, versions prior to 2.3.0, contains an insecure session that can be spoofed. When deployed on cloud foundry with multiple instances using the default embedded SQLite database, a remote authenticated malicious user can switch... |
CVE-2019-3783 |
1 Cloudfoundry |
1 Stratos |
2019-10-09 |
4.0 |
Cloud Foundry Stratos, versions prior to 2.3.0, deploys with a public default session store secret. A malicious user with default session store secret can brute force another user's current Stratos session, and act on behalf of that user. |
CVE-2019-3782 |
1 Cloudfoundry |
1 Credhub Cli |
2019-10-09 |
2.1 |
Cloud Foundry CredHub CLI, versions prior to 2.2.1, inadvertently writes authentication credentials provided via environment variables to its persistent config file. A local authenticated malicious user with access to the CredHub CLI config file... |
CVE-2019-3781 |
1 Cloudfoundry |
1 Command Line Interface |
2019-10-09 |
3.5 |
Cloud Foundry CLI, versions prior to v6.43.0, improperly exposes passwords when verbose/trace/debugging is turned on. A local unauthenticated or remote authenticated malicious user with access to logs may gain part or all of a users password. |
CVE-2019-3779 |
1 Cloudfoundry |
1 Container Runtime |
2019-10-09 |
4.0 |
Cloud Foundry Container Runtime, versions prior to 0.29.0, deploys Kubernetes clusters utilize the same CA (Certificate Authority) to sign and trust certs for ETCD as used by the Kubernetes API. This could allow a user authenticated with a... |
CVE-2019-3775 |
1 Cloudfoundry |
1 Uaa Release |
2019-10-09 |
4.0 |
Cloud Foundry UAA, versions prior to v70.0, allows a user to update their own email address. A remote authenticated user can impersonate a different user by changing their email address to that of a different user. |
CVE-2019-11279 |
1 Cloudfoundry |
1 Uaa Release |
2019-10-09 |
6.5 |
CF UAA versions prior to 74.1.0 can request scopes for a client that shouldn't be allowed by submitting an array of requested scopes. A remote malicious user can escalate their own privileges to any scope, allowing them to take control of UAA and... |
CVE-2019-11278 |
1 Cloudfoundry |
1 User Account And Authentication |
2019-10-09 |
7.5 |
CF UAA versions prior to 74.1.0, allow external input to be directly queried against. A remote malicious user with 'client.write' and 'groups.update' can craft a SCIM query, which leaks information that allows an escalation of privileges,... |
CVE-2019-11277 |
1 Cloudfoundry |
1 Cf-deployment |
2019-10-09 |
5.5 |
Cloud Foundry NFS Volume Service, 1.7.x versions prior to 1.7.11 and 2.x versions prior to 2.3.0, is vulnerable to LDAP injection. A remote authenticated malicious space developer can potentially inject LDAP filters via service instance creation,... |
CVE-2019-11274 |
1 Cloudfoundry |
1 User Account And Authentication |
2019-10-09 |
4.3 |
Cloud Foundry UAA, versions prior to 74.0.0, is vulnerable to an XSS attack. A remote unauthenticated malicious attacker could craft a URL that contains a SCIM filter that contains malicious JavaScript, which older browsers may execute. |
CVE-2018-1191 |
1 Cloudfoundry |
1 Cf-deployment |
2019-10-09 |
3.5 |
Cloud Foundry Garden-runC, versions prior to 1.11.0, contains an information exposure vulnerability. A user with access to Garden logs may be able to obtain leaked credentials and perform authenticated actions using those credentials. |
CVE-2018-11084 |
1 Cloudfoundry |
1 Garden-runc |
2019-10-09 |
5.5 |
Cloud Foundry Garden-runC release, versions prior to 1.16.1, prevents deletion of some app environments based on file attributes. A remote authenticated malicious user may create and delete apps with crafted file attributes to cause a denial of... |
CVE-2017-8034 |
2 Cloud Foundry, Cloudfoundry |
6 Cf-release, Capi-release, Routing-release and 3 more |
2019-10-03 |
6.0 |
The Cloud Controller and Router in Cloud Foundry (CAPI-release capi versions prior to v1.32.0, Routing-release versions prior to v0.159.0, CF-release versions prior to v267) do not validate the issuer on JSON Web Tokens (JWTs) from UAA. With... |
CVE-2017-4969 |
2 Cloud Foundry, Cloudfoundry |
2 Cf-release, Cf-release |
2019-10-03 |
6.8 |
The Cloud Controller in Cloud Foundry cf-release versions prior to v255 allows authenticated developer users to exceed memory and disk quotas for tasks. |
CVE-2017-4970 |
2 Cloud Foundry, Cloudfoundry |
4 Staticfile Buildpack, Cf-release, Cf-release and 1 more |
2019-10-03 |
4.3 |
An issue was discovered in Cloud Foundry Foundation cf-release v255 and Staticfile buildpack versions v1.4.0 - v1.4.3. A regression introduced in the Static file build pack causes the Staticfile.auth configuration to be ignored when the Static... |