CVE-2017-14389 — Capi-release vulnerability

4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 59.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cloudfoundry Capi-release Cloudfoundry Cf-deployment Cloudfoundry Cf-release

Timeline

PublishedNov 28

Latest updateMay 13

Description

An issue was discovered in Cloud Foundry Foundation capi-release (all versions prior to 1.45.0), cf-release (all versions prior to v280), and cf-deployment (all versions prior to v1.0.0). The Cloud Controller does not prevent space developers from creating subdomains to an already existing route that belongs to a different user in a different org and space, aka an "Application Subdomain Takeover."

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDcloudfoundry/capi-release< 1.45.0

▶NVDcloudfoundry/cf-release< 280

▶NVDcloudfoundry/cf-deployment< 1.0.0

🔴Vulnerability Details

GHSA

GHSA-2mjv-62fw-hvv4: An issue was discovered in Cloud Foundry Foundation capi-release (all versions prior to 1↗2022-05-13

▶

CVEList

CVE-2017-14389: An issue was discovered in Cloud Foundry Foundation capi-release (all versions prior to 1↗2017-11-28

▶

💬Community

HackerOne

Subdomain Takeover Via via Dangling NS records on Amazon Route 53 http://api.e2e-kops-aws-canary.test-cncf-aws.canary.k8s.io↗2020-11-29

▶