CVE-2019-3789Improper Privilege Management in Foundry CF Routing

CWE-840CWE-269Improper Privilege Management3 documents3 sources
Severity
6.5MEDIUMNVD
EPSS
0.2%
top 63.40%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cloud Foundry CF RoutingCloudfoundry Routing Release
Timeline
PublishedApr 24
Latest updateMay 24

Description

Cloud Foundry Routing Release, all versions prior to 0.188.0, contains a vulnerability that can hijack the traffic to route services hosted outside the platform. A user with space developer permissions can create a private domain that shadows the external domain of the route service, and map that route to an app. When the gorouter receives traffic destined for the external route service, this traffic will instead be directed to the internal app using the shadow route.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5cloud_foundry/cf_routingAll0.188.0

🔴Vulnerability Details

2
GHSA
GHSA-r999-j7hp-qmgq: Cloud Foundry Routing Release, all versions prior to 02022-05-24
CVEList
Gorouter allows space developer to hijack route services hosted outside the platform2019-04-24
CVE-2019-3789 — Improper Privilege Management | cvebase