CVE-2019-11277 — LDAP Injection in Foundry CF Deployment

CWE-90 — LDAP Injection CWE-74 — Injection3 documents3 sources

Severity

8.1HIGHNVD

EPSS

0.9%

top 24.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cloud Foundry CF Deployment Cloud Foundry CF NFS Volume Release Cloudfoundry Cf-deployment +1 more

Timeline

PublishedSep 23

Latest updateMay 24

Description

Cloud Foundry NFS Volume Service, 1.7.x versions prior to 1.7.11 and 2.x versions prior to 2.3.0, is vulnerable to LDAP injection. A remote authenticated malicious space developer can potentially inject LDAP filters via service instance creation, facilitating the malicious space developer to deny service or perform a dictionary attack.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages4 packages

▶NVDcloudfoundry/nfs_volume_release1.7.0 — 1.7.11+1

▶CVEListV5cloud_foundry/cf_nfs_volume_release1.7 — v1.7.11+1

▶NVDcloudfoundry/cf-deployment< 11.1.0

▶CVEListV5cloud_foundry/cf_deploymentAll — v11.1.0

🔴Vulnerability Details

GHSA

GHSA-4gr5-536m-w65f: Cloud Foundry NFS Volume Service, 1↗2022-05-24

▶

CVEList

Volume Services is vulnerable to an LDAP injection attack↗2019-09-23

▶