CVE-2018-1266: Cloud Controller file modification via malicious application
Cloud Foundry Foundation
Affected Cloud Foundry Products and Versions
- You are using Cloud Controller version prior to 1.52.0
- You are using cf-deployment version prior to 1.21.0
Cloud Foundry Cloud Controller, versions prior to 1.52.0, contains information disclosure and path traversal vulnerabilities. An authenticated malicious user can predict the location of application blobs and leverage path traversal to create a malicious application that has the ability to overwrite arbitrary files on the Cloud Controller instance.
Users of affected versions should apply the following mitigations or upgrades:
- Releases that have fixed this issue include:
- Cloud Controller 1.52.0
- cf-deployment 1.21.0
This issue was responsibly reported by the GE Digital Security Team.
2018-03-26: Clarified issue description
2018-03-26: Initial vulnerability report published.