CVE-2020-5417

EUVD-2020-26586
Cloud Foundry CAPI (Cloud Controller), versions prior to 1.97.0, when used in a deployment where an app domain is also the system domain (which is true in the default CF Deployment manifest), were vulnerable to developers maliciously or accidentally claiming certain sensitive routes, potentially resulting in the developer's app handling some requests that were expected to go to certain system components.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
pivotalCNA
8.5 HIGH
NETWORK
HIGH
LOW
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 55%
Affected Products (NVD)
VendorProductVersion
cloudfoundrycapi-release
𝑥
< 1.97.0
cloudfoundrycf-deployment
𝑥
< 13.12.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.cloudfoundry.org/blog/cve-2020-5417
https://www.cloudfoundry.org/blog/cve-2020-5417