cbcvebase.

Cloudfoundry Cf-Release vulnerabilities

35 known vulnerabilities affecting cloudfoundry/cf-release.

Total CVEs
35
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL6HIGH13MEDIUM15LOW1

Vulnerabilities

Page 2 of 2
CVE-2015-5173P4HIGHCVSS 8.8fixed in 2162017-10-24
CVE-2015-5173 [HIGH] CWE-200 CVE-2015-5173: Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elast Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact via vectors involving emails with password recovery links, aka "Cross Domain Referer Leakage."
nvd
CVE-2016-0708P4MEDIUMCVSS 5.9≥ 166, ≤ 2272018-07-11
CVE-2016-0708 [MEDIUM] CWE-200 CVE-2016-0708: Applications deployed to Cloud Foundry, versions v166 through v227, may be vulnerable to a remote di Applications deployed to Cloud Foundry, versions v166 through v227, may be vulnerable to a remote disclosure of information, including, but not limited to environment variables and bound service details. For applications to be vulnerable, they must have been staged using automatic buildpack detection, passed through the Java Buildpack detection script
nvd
CVE-2017-14389P4MEDIUMCVSS 6.5fixed in 2802017-11-28
CVE-2017-14389 [MEDIUM] CVE-2017-14389: An issue was discovered in Cloud Foundry Foundation capi-release (all versions prior to 1.45.0), cf- An issue was discovered in Cloud Foundry Foundation capi-release (all versions prior to 1.45.0), cf-release (all versions prior to v280), and cf-deployment (all versions prior to v1.0.0). The Cloud Controller does not prevent space developers from creating subdomains to an already existing route that belongs to a different user in a different org and space,
nvd
CVE-2017-8034P4MEDIUMCVSS 6.6≤ 2662017-07-17
CVE-2017-8034 [MEDIUM] CWE-565 CVE-2017-8034: The Cloud Controller and Router in Cloud Foundry (CAPI-release capi versions prior to v1.32.0, Routi The Cloud Controller and Router in Cloud Foundry (CAPI-release capi versions prior to v1.32.0, Routing-release versions prior to v0.159.0, CF-release versions prior to v267) do not validate the issuer on JSON Web Tokens (JWTs) from UAA. With certain multi-zone UAA configurations, zone administrators are able to escalate their privileges.
nvd
CVE-2016-8219P4MEDIUMCVSS 6.5fixed in 2502017-06-13
CVE-2016-8219 [MEDIUM] CWE-269 CVE-2016-8219: An issue was discovered in Cloud Foundry Foundation cf-release versions prior to 250 and CAPI-releas An issue was discovered in Cloud Foundry Foundation cf-release versions prior to 250 and CAPI-release versions prior to 1.12.0. A user with the SpaceAuditor role is over-privileged with the ability to restage applications. This could cause application downtime if the restage fails.
nvd
CVE-2017-4969P4MEDIUMCVSS 6.5≤ 2542017-04-20
CVE-2017-4969 [MEDIUM] CVE-2017-4969: The Cloud Controller in Cloud Foundry cf-release versions prior to v255 allows authenticated develop The Cloud Controller in Cloud Foundry cf-release versions prior to v255 allows authenticated developer users to exceed memory and disk quotas for tasks.
nvd
CVE-2016-2165P4MEDIUMCVSS 6.5≤ 2312017-05-25
CVE-2016-2165 [MEDIUM] CWE-20 CVE-2016-2165: The Loggregator Traffic Controller endpoints in cf-release v231 and lower, Pivotal Elastic Runtime v The Loggregator Traffic Controller endpoints in cf-release v231 and lower, Pivotal Elastic Runtime versions prior to 1.5.19 AND 1.6.x versions prior to 1.6.20 are not cleansing request URL paths when they are invalid and are returning them in the 404 response. This could allow malicious scripts to be written directly into the 404 response.
nvd
CVE-2017-4970P4MEDIUMCVSS 5.9v2552017-06-13
CVE-2017-4970 [MEDIUM] CVE-2017-4970: An issue was discovered in Cloud Foundry Foundation cf-release v255 and Staticfile buildpack version An issue was discovered in Cloud Foundry Foundation cf-release v255 and Staticfile buildpack versions v1.4.0 - v1.4.3. A regression introduced in the Static file build pack causes the Staticfile.auth configuration to be ignored when the Static file file is not present in the application root. Applications containing a Staticfile.auth file but not a Static fil
nvd
CVE-2017-8047P4MEDIUMCVSS 6.1≤ 2732017-10-04
CVE-2017-8047 [MEDIUM] CWE-601 CVE-2017-8047: In Cloud Foundry router routing-release all versions prior to v0.163.0 and cf-release all versions p In Cloud Foundry router routing-release all versions prior to v0.163.0 and cf-release all versions prior to v274, in some applications, it is possible to append a combination of characters to the URL that will allow for an open redirect. An attacker could exploit this as a phishing attack to gain access to user credentials or other sensitive data. NOT
nvd
CVE-2018-1190P4MEDIUMCVSS 6.1≤ 2692018-01-04
CVE-2018-1190 [MEDIUM] CWE-79 CVE-2018-1190: An issue was discovered in these Pivotal Cloud Foundry products: all versions prior to cf-release v2 An issue was discovered in these Pivotal Cloud Foundry products: all versions prior to cf-release v270, UAA v3.x prior to v3.20.2, and UAA bosh v30.x versions prior to v30.8 and all other versions prior to v45.0. A cross-site scripting (XSS) attack is possible in the clientId parameter of a request to the UAA OpenID Connect check session iframe endpoin
nvd
CVE-2017-8031P4MEDIUMCVSS 5.3≤ 2782017-11-27
CVE-2017-8031 [MEDIUM] CVE-2017-8031: An issue was discovered in Cloud Foundry Foundation cf-release (all versions prior to v279) and UAA An issue was discovered in Cloud Foundry Foundation cf-release (all versions prior to v279) and UAA (30.x versions prior to 30.6, 45.x versions prior to 45.4, 52.x versions prior to 52.1). In some cases, the UAA allows an authenticated user for a particular client to revoke client tokens for other users on the same client. This occurs only if the client is usi
nvd
CVE-2016-2169P4MEDIUMCVSS 5.3fixed in 2372018-04-18
CVE-2016-2169 [MEDIUM] CWE-17 CVE-2016-2169: Cloud Foundry Cloud Controller, capi-release versions prior to 1.0.0 and cf-release versions prior t Cloud Foundry Cloud Controller, capi-release versions prior to 1.0.0 and cf-release versions prior to v237, contain a business logic flaw. An application developer may create an application with a route that conflicts with a platform service route and receive traffic intended for the service.
nvd
CVE-2015-3190P4MEDIUMCVSS 6.1≤ 2092017-05-25
CVE-2015-3190 [MEDIUM] CWE-601 CVE-2015-3190: With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA Standalone versions 2.2.6 or ear With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA Standalone versions 2.2.6 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier the UAA logout link is susceptible to an open redirect which allows an attacker to insert malicious web page as a redirect parameter.
nvd
CVE-2016-0713P4MEDIUMCVSS 4.7v141v142+86 more2017-08-31
CVE-2016-0713 [MEDIUM] CWE-79 CVE-2016-0713: Gorouter in Cloud Foundry cf-release v141 through v228 allows man-in-the-middle attackers to conduct Gorouter in Cloud Foundry cf-release v141 through v228 allows man-in-the-middle attackers to conduct cross-site scripting (XSS) attacks via vectors related to modified requests.
nvd
CVE-2015-3189P4LOWCVSS 3.7≤ 2082017-05-25
CVE-2015-3189 [LOW] CWE-640 CVE-2015-3189: With Cloud Foundry Runtime cf-release versions v208 or earlier, UAA Standalone versions 2.2.5 or ear With Cloud Foundry Runtime cf-release versions v208 or earlier, UAA Standalone versions 2.2.5 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier, old Password Reset Links are not expired after the user changes their current email address to a new one. This vulnerability is applicable only when using the UAA internal user store for authenticati
nvd
Cloudfoundry Cf-Release vulnerabilities | cvebase