CVE-2019-11289 — Improper Input Validation in Foundry Routing

CWE-20 — Improper Input Validation5 documents4 sources

Severity

8.6HIGHNVD

EPSS

0.6%

top 29.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cloud Foundry Routing Code.cloudfoundry.org Gorouter Github.com Cloudfoundry Gorouter +2 more

Timeline

PublishedNov 19

Latest updateJul 28

Description

Cloud Foundry Routing, all versions before 0.193.0, does not properly validate nonce input. A remote unauthenticated malicious user could forge an HTTP route service request using an invalid nonce that will cause the Gorouter to crash.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:HExploitability: 3.9 | Impact: 4.0

Affected Packages5 packages

▶Gocode.cloudfoundry.org/gorouter< 0.0.0-20191101214924-b1b5c44e050f

▶Gogithub.com/cloudfoundry_gorouter< 0.0.0-20191101214924-b1b5c44e050f

▶CVEListV5cloud_foundry/routingAll — 0.193.0

▶NVDcloudfoundry/routing-release< 0.193.0

▶NVDcloudfoundry/cf-deployment< 12.8.0

🔴Vulnerability Details

OSV

Panic in decryption in code.cloudfoundry.org/gorouter↗2021-07-28

▶

OSV

Cloud Foundry Routing Improper Input Validation vulnerability↗2021-05-18

▶

GHSA

Cloud Foundry Routing Improper Input Validation vulnerability↗2021-05-18

▶

CVEList

A forged route service request using an invalid nonce can cause the gorouter to panic and crash↗2019-11-19

▶