Cloud Controller may allow developers to claim sensitive routes
CVE-2020-5417

8.5HIGH

Key Information:

Vendor: Cloud Foundry
Status: Capi; Cf Deployment
Vendor: CVE Published:; 21 August 2020

🔔 Create Cloud Foundry Vulnerability Alert

What is CVE-2020-5417?

Cloud Foundry CAPI (Cloud Controller), versions prior to 1.97.0, when used in a deployment where an app domain is also the system domain (which is true in the default CF Deployment manifest), were vulnerable to developers maliciously or accidentally claiming certain sensitive routes, potentially resulting in the developer's app handling some requests that were expected to go to certain system components.

Affected Version(s)

CAPI All < 1.97.0

CF Deployment All < 13.12.0

References

https://www.cloudfoundry.org/blog/cve-2020-5417

x_refsource_CONFIRM

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

CVSS V3.0

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 21, 2020
Vulnerability Reserved
Jan 3, 2020

CVE-2020-5417 Data

JSON