Cloudfoundry Cf-Release vulnerabilities
35 known vulnerabilities affecting cloudfoundry/cf-release.
Total CVEs
35
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL6HIGH13MEDIUM15LOW1
Vulnerabilities
Page 1 of 2
CVE-2016-6655P3CRITICALCVSS 9.8≤ 2442017-06-13
CVE-2016-6655 [CRITICAL] CWE-77 CVE-2016-6655: An issue was discovered in Cloud Foundry Foundation Cloud Foundry release versions prior to v245 and
An issue was discovered in Cloud Foundry Foundation Cloud Foundry release versions prior to v245 and cf-mysql-release versions prior to v31. A command injection vulnerability was discovered in a common script used by many Cloud Foundry components. A malicious user may exploit numerous vectors to execute arbitrary commands on servers running Cloud Fou
nvd
CVE-2017-4992P3CRITICALCVSS 9.8≤ 2602017-06-13
CVE-2017-4992 [CRITICAL] CWE-269 CVE-2017-4992: An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v261; UAA release 2
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v261; UAA release 2.x versions prior to v2.7.4.17, 3.6.x versions prior to v3.6.11, 3.9.x versions prior to v3.9.13, and other versions prior to v4.2.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.15, 24.x versions prior to v24.10, 30.x versions prior
nvd
CVE-2016-6658P3CRITICALCVSS 9.6fixed in 2452018-03-29
CVE-2016-6658 [CRITICAL] CWE-200 CVE-2016-6658: Applications in cf-release before 245 can be configured and pushed with a user-provided custom build
Applications in cf-release before 245 can be configured and pushed with a user-provided custom buildpack using a URL pointing to the buildpack. Although it is not recommended, a user can specify a credential in the URL (basic auth or OAuth) to access the buildpack through the CLI. For example, the user could include a GitHub username and password in
nvd
CVE-2018-1195P3HIGHCVSS 8.8fixed in 2832018-03-19
CVE-2018-1195 [HIGH] CWE-613 CVE-2018-1195: In Cloud Controller versions prior to 1.46.0, cf-deployment versions prior to 1.3.0, and cf-release
In Cloud Controller versions prior to 1.46.0, cf-deployment versions prior to 1.3.0, and cf-release versions prior to 283, Cloud Controller accepts refresh tokens for authentication where access tokens are expected. This exposes a vulnerability where a refresh token that would otherwise be insufficient to obtain an access token, either due to lack of cli
nvd
CVE-2016-8218P3CRITICALCVSS 9.8≤ 203v204+26 more2017-06-13
CVE-2016-8218 [CRITICAL] CWE-20 CVE-2016-8218: An issue was discovered in Cloud Foundry Foundation routing-release versions prior to 0.142.0 and cf
An issue was discovered in Cloud Foundry Foundation routing-release versions prior to 0.142.0 and cf-release versions 203 to 231. Incomplete validation logic in JSON Web Token (JWT) libraries can allow unprivileged attackers to impersonate other users to the routing API, aka an "Unauthenticated JWT signing algorithm in routing" issue.
nvd
CVE-2016-0732P3HIGHCVSS 8.8≥ 208, ≤ 2292017-09-07
CVE-2016-0732 [HIGH] CWE-269 CVE-2016-0732: The identity zones feature in Pivotal Cloud Foundry 208 through 229; UAA 2.0.0 through 2.7.3 and 3.0
The identity zones feature in Pivotal Cloud Foundry 208 through 229; UAA 2.0.0 through 2.7.3 and 3.0.0; UAA-Release 2 through 4, when configured with multiple identity zones; and Elastic Runtime 1.6.0 through 1.6.13 allows remote authenticated users with privileges in one zone to gain privileges and perform operations on a different zone via unspecified
nvd
CVE-2015-3191P3HIGHCVSS 8.8≤ 2092017-05-25
CVE-2015-3191 [HIGH] CWE-352 CVE-2015-3191: With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA Standalone versions 2.2.6 or ear
With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA Standalone versions 2.2.6 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier the change_email form in UAA is vulnerable to a CSRF attack. This allows an attacker to trigger an e-mail change for a user logged into a cloud foundry instance via a malicious link on a attacker con
nvd
CVE-2017-8035P3HIGHCVSS 7.5≥ 245, < 2682017-07-25
CVE-2017-8035 [HIGH] CWE-200 CVE-2017-8035: An issue was discovered in the Cloud Controller API in Cloud Foundry Foundation CAPI-release version
An issue was discovered in the Cloud Controller API in Cloud Foundry Foundation CAPI-release versions after v1.6.0 and prior to v1.35.0 and cf-release versions after v244 and prior to v268. A carefully crafted CAPI request from a Space Developer can allow them to gain access to files on the Cloud Controller VM for that installation.
nvd
CVE-2017-4972P3HIGHCVSS 7.5≤ 2562017-06-13
CVE-2017-4972 [HIGH] CWE-89 CVE-2017-4972: An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v257; UAA release 2
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v257; UAA release 2.x versions prior to v2.7.4.14, 3.6.x versions prior to v3.6.8, 3.9.x versions prior to v3.9.10, and other versions prior to v3.15.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.12, 24.x versions prior to v24.7, and other versions prior t
nvd
CVE-2016-9882P3HIGHCVSS 7.5≤ 2492017-01-13
CVE-2016-9882 [HIGH] CWE-532 CVE-2016-9882: An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v250 and CAPI-relea
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v250 and CAPI-release versions prior to v1.12.0. Cloud Foundry logs the credentials returned from service brokers in Cloud Controller system component logs. These logs are written to disk and often sent to a log aggregator via syslog.
nvd
CVE-2017-8037P3HIGHCVSS 7.5v245v246+23 more2017-08-21
CVE-2017-8037 [HIGH] CVE-2017-8037: In Cloud Foundry Foundation CAPI-release versions after v1.6.0 and prior to v1.38.0 and cf-release v
In Cloud Foundry Foundation CAPI-release versions after v1.6.0 and prior to v1.38.0 and cf-release versions after v244 and prior to v270, there is an incomplete fix for CVE-2017-8035. If you took steps to remediate CVE-2017-8035 you should also upgrade to fix this CVE. A carefully crafted CAPI request from a Space Developer can allow them to gain access to file
nvd
CVE-2015-5172P3CRITICALCVSS 9.8fixed in 2162017-10-24
CVE-2015-5172 [CRITICAL] CWE-640 CVE-2015-5172: Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elast
Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire password reset links.
nvd
CVE-2015-5171P3CRITICALCVSS 9.8fixed in 2162017-10-24
CVE-2015-5171 [CRITICAL] CWE-613 CVE-2015-5171: The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2,
The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire existing sessions.
nvd
CVE-2015-1834P3MEDIUMCVSS 6.5≤ 2072017-05-25
CVE-2015-1834 [MEDIUM] CWE-22 CVE-2015-1834: A path traversal vulnerability was identified in the Cloud Foundry component Cloud Controller that a
A path traversal vulnerability was identified in the Cloud Foundry component Cloud Controller that affects cf-release versions prior to v208 and Pivotal Cloud Foundry Elastic Runtime versions prior to 1.4.2. Path traversal is the 'outbreak' of a given directory structure through relative file paths in the user input. It aims at accessing files and dire
nvd
CVE-2017-8033P3HIGHCVSS 7.8fixed in 2682017-07-25
CVE-2017-8033 [HIGH] CWE-22 CVE-2017-8033: An issue was discovered in the Cloud Controller API in Cloud Foundry Foundation CAPI-release version
An issue was discovered in the Cloud Controller API in Cloud Foundry Foundation CAPI-release versions prior to v1.35.0 and cf-release versions prior to v268. A filesystem traversal vulnerability exists in the Cloud Controller that allows a space developer to escalate privileges by pushing a specially crafted application that can write arbitrary files to
nvd
CVE-2017-4991P3HIGHCVSS 7.2≤ 2592017-06-13
CVE-2017-4991 [HIGH] CWE-269 CVE-2017-4991: An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v260; UAA release 2
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v260; UAA release 2.x versions prior to v2.7.4.16, 3.6.x versions prior to v3.6.10, 3.9.x versions prior to v3.9.12, and other versions prior to v3.17.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.14, 24.x versions prior to v24.9, 30.x versions prior to 3
nvd
CVE-2017-4974P3MEDIUMCVSS 6.5≤ v2572017-06-13
CVE-2017-4974 [MEDIUM] CWE-89 CVE-2017-4974: An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v258; UAA release 2
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v258; UAA release 2.x versions prior to v2.7.4.15, 3.6.x versions prior to v3.6.9, 3.9.x versions prior to v3.9.11, and other versions prior to v3.16.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.13, 24.x versions prior to v24.8, and other versions prior
nvd
CVE-2017-8048P3HIGHCVSS 7.8v268v269+4 more2017-10-04
CVE-2017-8048 [HIGH] CVE-2017-8048: In Cloud Foundry capi-release versions 1.33.0 and later, prior to 1.42.0 and cf-release versions 268
In Cloud Foundry capi-release versions 1.33.0 and later, prior to 1.42.0 and cf-release versions 268 and later, prior to 274, the original fix for CVE-2017-8033 introduces an API regression that allows a space developer to execute arbitrary code on the Cloud Controller VM by pushing a specially crafted application. NOTE: 274 resolves the vulnerability but has a
nvd
CVE-2016-0780P3HIGHCVSS 7.5v2312017-05-25
CVE-2016-0780 [HIGH] CWE-399 CVE-2016-0780: It was discovered that cf-release v231 and lower, Pivotal Cloud Foundry Elastic Runtime 1.5.x versio
It was discovered that cf-release v231 and lower, Pivotal Cloud Foundry Elastic Runtime 1.5.x versions prior to 1.5.17 and Pivotal Cloud Foundry Elastic Runtime 1.6.x versions prior to 1.6.18 do not properly enforce disk quotas in certain cases. An attacker could use an improper disk quota value to bypass enforcement and consume all the disk on DEAs/CEL
nvd
CVE-2015-5170P3HIGHCVSS 8.8fixed in 2162017-10-24
CVE-2015-5170 [HIGH] CWE-352 CVE-2015-5170: Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elast
Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow remote attackers to conduct cross-site request forgery (CSRF) attacks on PWS and log a user into an arbitrary account by leveraging lack of CSRF checks.
nvd
1 / 2Next →