Product:

Cf\-Deployment

(Cloudfoundry)
Repositories

Unknown:

This might be proprietary software.
#Vulnerabilities 34
Date Id Summary Products Score Patch Annotated
2022-03-25 CVE-2021-22100 In cloud foundry CAPI versions prior to 1.122, a denial-of-service attack in which a developer can push a service broker that (accidentally or maliciously) causes CC instances to timeout and fail is possible. An attacker can leverage this vulnerability to cause an inability for anyone to push or manage apps. Capi\-Release, Cf\-Deployment 5.3
2023-02-03 CVE-2022-31733 Starting with diego-release 2.55.0 and up to 2.69.0, and starting with CF Deployment 17.1 and up to 23.2.0, apps are accessible via another port on diego cells, allowing application ingress without a client certificate. If mTLS route integrity is enabled AND unproxied ports are turned off, then an attacker could connect to an application that should be only reachable via mTLS, without presenting a client certificate. Cf\-Deployment, Diego 9.1
2023-09-08 CVE-2023-34041 Cloud foundry routing release versions prior to 0.278.0 are vulnerable to abuse of HTTP Hop-by-Hop Headers. An unauthenticated attacker can use this vulnerability for headers like B3 or X-B3-SpanID to affect the identification value recorded in the logs in foundations. Cf\-Deployment, Routing\-Release 5.3
2024-06-10 CVE-2024-22279 Improper handling of requests in Routing Release > v0.273.0 and <= v0.297.0 allows an unauthenticated attacker to degrade the service availability of the Cloud Foundry deployment if performed at scale. Cf\-Deployment, Routing_release 7.5
2019-11-26 CVE-2019-11290 Cloud Foundry UAA Release, versions prior to v74.8.0, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well. Cf\-Deployment, User_account_and_authentication 7.5
2018-03-19 CVE-2018-1195 In Cloud Controller versions prior to 1.46.0, cf-deployment versions prior to 1.3.0, and cf-release versions prior to 283, Cloud Controller accepts refresh tokens for authentication where access tokens are expected. This exposes a vulnerability where a refresh token that would otherwise be insufficient to obtain an access token, either due to lack of client credentials or revocation, would allow authentication. Capi\-Release, Cf\-Deployment, Cf\-Release 8.8
2019-04-25 CVE-2019-3801 Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the component. Cf\-Deployment, Credhub, Uaa_release 9.8
2018-05-15 CVE-2018-1262 Cloud Foundry Foundation UAA, versions 4.12.X and 4.13.X, introduced a feature which could allow privilege escalation across identity zones for clients performing offline validation. A zone administrator could configure their zone to issue tokens which impersonate another zone, granting up to admin privileges in the impersonated zone for clients performing offline token validation. Cf\-Deployment, Cloud_foundry_uaa, Cloud_foundry_uaa\-Release 7.2
2018-06-06 CVE-2018-1265 Cloud Foundry Diego, release versions prior to 2.8.0, does not properly sanitize file paths in tar and zip files headers. A remote attacker with CF admin privileges can upload a malicious buildpack that will allow a complete takeover of a Diego Cell VM and access to all apps running on that Diego Cell. Cf\-Deployment, Cloud_foundry_diego 7.2
2019-10-23 CVE-2019-11282 Cloud Foundry UAA, versions prior to v74.3.0, contains an endpoint that is vulnerable to SCIM injection attack. A remote authenticated malicious user with scim.invite scope can craft a request with malicious content which can leak information about users of the UAA. Cf\-Deployment, Cloud_foundry_uaa 4.3