Cloud Controller allows users with no roles to list droplets
CVE-2020-5418

3.1LOW

Key Information:

Vendor: Cloud Foundry
Status: Capi; Cf Deployment
Vendor: CVE Published:; 3 September 2020

🔔 Create Cloud Foundry Vulnerability Alert

What is CVE-2020-5418?

Cloud Foundry CAPI (Cloud Controller) versions prior to 1.98.0 allow authenticated users having only the "cloud_controller.read" scope, but no roles in any spaces, to list all droplets in all spaces (whereas they should see none).

Affected Version(s)

CAPI All < 1.98.0

CF Deployment All < 13.17.0

References

https://www.cloudfoundry.org/blog/cve-2020-5418

x_refsource_CONFIRM

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

CVSS V3.0

Score:

3.1

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 3, 2020
Vulnerability Reserved
Jan 3, 2020

CVE-2020-5418 Data

JSON