File Path Vulnerability in Cloud Foundry Diego by Pivotal Software
CVE-2018-1265

7.2HIGH

Key Information:

Vendor: Cloud Foundry
Status: Diego
Vendor: CVE Published:; 6 June 2018

🔔 Create Cloud Foundry Vulnerability Alert

What is CVE-2018-1265?

Cloud Foundry Diego versions prior to 2.8.0 are vulnerable due to inadequate sanitization of file paths in tar and zip file headers. This flaw enables a remote attacker with CF admin privileges to upload a malicious buildpack, potentially leading to a complete takeover of the Diego Cell VM. Once exploited, this could grant the attacker unauthorized access to all applications hosted on the compromised Diego Cell, posing significant security risks to the entire environment.

Affected Version(s)

Diego < 2.8.0

References

https://www.cloudfoundry.org/blog/cve-2018-1265/

x_refsource_CONFIRM

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 6, 2018
Vulnerability Reserved
Dec 6, 2017

CVE-2018-1265 Data

JSON