CVE-2022-31733Improper Certificate Validation in Cf-deployment

CWE-295Improper Certificate Validation3 documents3 sources
Severity
9.1CRITICALNVD
EPSS
0.1%
top 65.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cloudfoundry Cf-deploymentCloudfoundry Diego
Timeline
PublishedFeb 3

Description

Starting with diego-release 2.55.0 and up to 2.69.0, and starting with CF Deployment 17.1 and up to 23.2.0, apps are accessible via another port on diego cells, allowing application ingress without a client certificate. If mTLS route integrity is enabled AND unproxied ports are turned off, then an attacker could connect to an application that should be only reachable via mTLS, without presenting a client certificate.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages2 packages

NVDcloudfoundry/diego2.55.02.69.0
NVDcloudfoundry/cf-deployment17.123.2.0

🔴Vulnerability Details

2
GHSA
GHSA-cxh3-vwqp-fxrv: Starting with diego-release 22023-02-03
CVEList
CVE-2022-31733: Starting with diego-release 22023-02-03
CVE-2022-31733 — Improper Certificate Validation | cvebase