Cloud foundry routing release versions prior to 0.278.0 are vulnerable to abuse of HTTP Hop-by-Hop Headers. An unauthenticated attacker can use this vulnerability for headers like B3 or X-B3-SpanID to affect the identification value recorded in the logs in foundations.
Affected Cloud Foundry Products and Versions
*Severity is medium unless otherwise noted.
- All versions prior to 0.278.0
- CF deployment
- All versions prior to 32.4.0
Users of affected products are strongly encouraged to follow the mitigations below.
The Cloud Foundry project recommends upgrading the following releases:
- Upgrade all versions to 0.278.0 or greater
- CF Deployment
- Upgrade all versions to 32.4.0 or greater
07/09/2023: Initial vulnerability report published.