Severity
Medium
Vendor
Cloud Foundry
Description
Cloud foundry routing release versions prior to 0.278.0 are vulnerable to abuse of HTTP Hop-by-Hop Headers. An unauthenticated attacker can use this vulnerability for headers like B3 or X-B3-SpanID to affect the identification value recorded in the logs in foundations.
Affected Cloud Foundry Products and Versions
*Severity is medium unless otherwise noted.
- Routing
- All versions prior to 0.278.0
- CF deployment
- All versions prior to 32.4.0
Mitigation
Users of affected products are strongly encouraged to follow the mitigations below.
The Cloud Foundry project recommends upgrading the following releases:
- Routing
-
- Upgrade all versions to 0.278.0 or greater
- CF Deployment
-
- Upgrade all versions to 32.4.0 or greater
References
- https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:R/CR:X/IR:L/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:X/MI:L/MA:N&version=3.1
History
07/09/2023: Initial vulnerability report published.
