CVE-2019-11294 — Sensitive Information Exposure in Foundry Capi

CWE-200 — Sensitive Information Exposure CWE-863 — Incorrect Authorization3 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 54.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cloudfoundry Cf-deployment Cloud Foundry Capi Cloudfoundry Capi-release

Timeline

PublishedDec 19

Latest updateMay 24

Description

Cloud Foundry Cloud Controller API (CAPI), version 1.88.0, allows space developers to list all global service brokers, including service broker URLs and GUIDs, which should only be accessible to admins.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5cloud_foundry/capi1.88.0

▶NVDcloudfoundry/capi-release1.88.0

▶NVDcloudfoundry/cf-deployment< 12.7.0

🔴Vulnerability Details

GHSA

GHSA-2443-wh6v-5rjf: Cloud Foundry Cloud Controller API (CAPI), version 1↗2022-05-24

▶

CVEList

CAPI leaks service broker URLs and GUIDs to space developers↗2019-12-19

▶