Vulnerabilities (CVE)

Vendor filter

Cloudfoundry Subscribe

Filter

30 total CVE
CVE Vendors Products Updated CVSS
CVE-2019-3801 1 Cloudfoundry 2 Cf-deployment, Uaa Release 2019-10-09 5.0
Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and...
CVE-2019-3798 1 Cloudfoundry 1 Capi-release 2019-10-09 6.0
Cloud Foundry Cloud Controller API Release, versions prior to 1.79.0, contains improper authentication when validating user permissions. A remote authenticated malicious user with the ability to create UAA clients and knowledge of the email of a...
CVE-2019-3789 1 Cloudfoundry 1 Routing Release 2019-10-09 4.0
Cloud Foundry Routing Release, all versions prior to 0.188.0, contains a vulnerability that can hijack the traffic to route services hosted outside the platform. A user with space developer permissions can create a private domain that shadows the...
CVE-2019-3788 1 Cloudfoundry 1 Uaa Release 2019-10-09 5.8
Cloud Foundry UAA Release, versions prior to 71.0, allows clients to be configured with an insecure redirect uri. Given a UAA client was configured with a wildcard in the redirect uri's subdomain, a remote malicious unauthenticated user can craft...
CVE-2019-3786 1 Cloudfoundry 1 Bosh Backup And Restore 2019-10-09 4.0
Cloud Foundry BOSH Backup and Restore CLI, all versions prior to 1.5.0, does not check the authenticity of backup scripts in BOSH. A remote authenticated malicious user can modify the metadata file of a Bosh Backup and Restore job to request...
CVE-2019-3784 1 Cloudfoundry 1 Stratos 2019-10-09 4.0
Cloud Foundry Stratos, versions prior to 2.3.0, contains an insecure session that can be spoofed. When deployed on cloud foundry with multiple instances using the default embedded SQLite database, a remote authenticated malicious user can switch...
CVE-2019-3783 1 Cloudfoundry 1 Stratos 2019-10-09 4.0
Cloud Foundry Stratos, versions prior to 2.3.0, deploys with a public default session store secret. A malicious user with default session store secret can brute force another user's current Stratos session, and act on behalf of that user.
CVE-2019-3782 1 Cloudfoundry 1 Credhub Cli 2019-10-09 2.1
Cloud Foundry CredHub CLI, versions prior to 2.2.1, inadvertently writes authentication credentials provided via environment variables to its persistent config file. A local authenticated malicious user with access to the CredHub CLI config file...
CVE-2019-3781 1 Cloudfoundry 1 Command Line Interface 2019-10-09 3.5
Cloud Foundry CLI, versions prior to v6.43.0, improperly exposes passwords when verbose/trace/debugging is turned on. A local unauthenticated or remote authenticated malicious user with access to logs may gain part or all of a users password.
CVE-2019-3779 1 Cloudfoundry 1 Container Runtime 2019-10-09 4.0
Cloud Foundry Container Runtime, versions prior to 0.29.0, deploys Kubernetes clusters utilize the same CA (Certificate Authority) to sign and trust certs for ETCD as used by the Kubernetes API. This could allow a user authenticated with a...
CVE-2019-3775 1 Cloudfoundry 1 Uaa Release 2019-10-09 4.0
Cloud Foundry UAA, versions prior to v70.0, allows a user to update their own email address. A remote authenticated user can impersonate a different user by changing their email address to that of a different user.
CVE-2019-11279 1 Cloudfoundry 1 Uaa Release 2019-10-09 6.5
CF UAA versions prior to 74.1.0 can request scopes for a client that shouldn't be allowed by submitting an array of requested scopes. A remote malicious user can escalate their own privileges to any scope, allowing them to take control of UAA and...
CVE-2019-11278 1 Cloudfoundry 1 User Account And Authentication 2019-10-09 7.5
CF UAA versions prior to 74.1.0, allow external input to be directly queried against. A remote malicious user with 'client.write' and 'groups.update' can craft a SCIM query, which leaks information that allows an escalation of privileges,...
CVE-2019-11277 1 Cloudfoundry 1 Cf-deployment 2019-10-09 5.5
Cloud Foundry NFS Volume Service, 1.7.x versions prior to 1.7.11 and 2.x versions prior to 2.3.0, is vulnerable to LDAP injection. A remote authenticated malicious space developer can potentially inject LDAP filters via service instance creation,...
CVE-2019-11274 1 Cloudfoundry 1 User Account And Authentication 2019-10-09 4.3
Cloud Foundry UAA, versions prior to 74.0.0, is vulnerable to an XSS attack. A remote unauthenticated malicious attacker could craft a URL that contains a SCIM filter that contains malicious JavaScript, which older browsers may execute.
CVE-2018-1191 1 Cloudfoundry 1 Cf-deployment 2019-10-09 3.5
Cloud Foundry Garden-runC, versions prior to 1.11.0, contains an information exposure vulnerability. A user with access to Garden logs may be able to obtain leaked credentials and perform authenticated actions using those credentials.
CVE-2018-11084 1 Cloudfoundry 1 Garden-runc 2019-10-09 5.5
Cloud Foundry Garden-runC release, versions prior to 1.16.1, prevents deletion of some app environments based on file attributes. A remote authenticated malicious user may create and delete apps with crafted file attributes to cause a denial of...
CVE-2017-8034 2 Cloud Foundry, Cloudfoundry 6 Cf-release, Capi-release, Routing-release and 3 more 2019-10-03 6.0
The Cloud Controller and Router in Cloud Foundry (CAPI-release capi versions prior to v1.32.0, Routing-release versions prior to v0.159.0, CF-release versions prior to v267) do not validate the issuer on JSON Web Tokens (JWTs) from UAA. With...
CVE-2017-4969 2 Cloud Foundry, Cloudfoundry 2 Cf-release, Cf-release 2019-10-03 6.8
The Cloud Controller in Cloud Foundry cf-release versions prior to v255 allows authenticated developer users to exceed memory and disk quotas for tasks.
CVE-2017-4970 2 Cloud Foundry, Cloudfoundry 4 Staticfile Buildpack, Cf-release, Cf-release and 1 more 2019-10-03 4.3
An issue was discovered in Cloud Foundry Foundation cf-release v255 and Staticfile buildpack versions v1.4.0 - v1.4.3. A regression introduced in the Static file build pack causes the Staticfile.auth configuration to be ignored when the Static...