Cloudfoundry

Cf-deployment

43 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 0.58%
  • Veröffentlicht 03.09.2020 01:15:10
  • Zuletzt bearbeitet 21.11.2024 05:34:07

Cloud Foundry CAPI (Cloud Controller) versions prior to 1.98.0 allow authenticated users having only the "cloud_controller.read" scope, but no roles in any spaces, to list all droplets in all spaces (whereas they should see none).

  • EPSS 1.18%
  • Veröffentlicht 03.09.2020 01:15:10
  • Zuletzt bearbeitet 21.11.2024 05:34:08

Cloud Foundry Routing (Gorouter) versions prior to 0.206.0 allow a malicious developer with "cf push" access to cause denial-of-service to the CF cluster by pushing an app that returns specially crafted HTTP responses that crash the Gorouters.

  • EPSS 0.99%
  • Veröffentlicht 21.08.2020 22:15:12
  • Zuletzt bearbeitet 21.11.2024 05:34:07

Cloud Foundry CAPI (Cloud Controller), versions prior to 1.97.0, when used in a deployment where an app domain is also the system domain (which is true in the default CF Deployment manifest), were vulnerable to developers maliciously or accidentally ...

  • EPSS 1.25%
  • Veröffentlicht 21.08.2020 22:15:12
  • Zuletzt bearbeitet 21.11.2024 05:34:07

Cloud Foundry Routing (Gorouter), versions prior to 0.204.0, when used in a deployment with NGINX reverse proxies in front of the Gorouters, is potentially vulnerable to denial-of-service attacks in which an unauthenticated malicious attacker can sen...

  • EPSS 2.89%
  • Veröffentlicht 17.07.2020 16:15:11
  • Zuletzt bearbeitet 21.11.2024 05:05:48

Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.

  • EPSS 0.49%
  • Veröffentlicht 27.02.2020 20:15:11
  • Zuletzt bearbeitet 21.11.2024 05:34:04

In Cloud Foundry UAA, versions prior to 74.14.0, a CSRF vulnerability exists due to the OAuth2 state parameter not being checked in the callback function when authenticating with external identity providers.

  • EPSS 0.75%
  • Veröffentlicht 27.02.2020 20:15:11
  • Zuletzt bearbeitet 21.11.2024 05:34:04

Cloud Foundry Cloud Controller (CAPI), versions prior to 1.91.0, logs properties of background jobs when they are run, which may include sensitive information such as credentials if provided to the job. A malicious user with access to those logs may ...

  • EPSS 0.78%
  • Veröffentlicht 19.12.2019 20:15:12
  • Zuletzt bearbeitet 21.11.2024 04:20:52

Cloud Foundry Cloud Controller API (CAPI), version 1.88.0, allows space developers to list all global service brokers, including service broker URLs and GUIDs, which should only be accessible to admins.

  • EPSS 1.32%
  • Veröffentlicht 06.12.2019 20:15:09
  • Zuletzt bearbeitet 21.11.2024 04:20:52

Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs client_secret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if...

  • EPSS 1.28%
  • Veröffentlicht 26.11.2019 00:15:11
  • Zuletzt bearbeitet 21.11.2024 04:20:51

Cloud Foundry UAA Release, versions prior to v74.8.0, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well.