CVE-2020-5417Incorrect Permission Assignment in Foundry Capi

CWE-732Incorrect Permission Assignment3 documents3 sources
Severity
8.8HIGHNVD
EPSS
0.3%
top 43.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Cloud Foundry CapiCloud Foundry CF DeploymentCloudfoundry Capi-release+1 more
Timeline
PublishedAug 21
Latest updateMay 24

Description

Cloud Foundry CAPI (Cloud Controller), versions prior to 1.97.0, when used in a deployment where an app domain is also the system domain (which is true in the default CF Deployment manifest), were vulnerable to developers maliciously or accidentally claiming certain sensitive routes, potentially resulting in the developer's app handling some requests that were expected to go to certain system components.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

CVEListV5cloud_foundry/cf_deploymentAll13.12.0
CVEListV5cloud_foundry/capiAll1.97.0

🔴Vulnerability Details

2
GHSA
GHSA-jq2q-gqc9-53g3: Cloud Foundry CAPI (Cloud Controller), versions prior to 12022-05-24
CVEList
Cloud Controller may allow developers to claim sensitive routes2020-08-21
CVE-2020-5417 — Incorrect Permission Assignment | cvebase