CVE-2017-14389: Application Subdomain Takeover via Cloud Foundry Private Domains
Cloud Foundry Foundation
Affected Cloud Foundry Products and Versions
- All versions prior to 1.45.0
- All versions prior to v280
- All versions prior to v1.0.0
The Cloud Controller does not prevent space developers from creating subdomains to an already existing route that belongs to a different user in a different org and space.
Users of affected versions should apply the following mitigations or upgrades:
- Releases that have fixed this issue include:
- capi-release: 1.45.0
- cf-release: 280
- cf-deployment: 1.0.0
This issue was responsibly reported by the GE Digital Security Team.
2017-11-22: Initial vulnerability report published.