Cloud Foundry Logo

CVE-2020-5418: Cloud Controller allows users with no roles to list droplets

By: | September 1, 2020

Share

Severity

Low

Vendor

Cloud Foundry Foundation

Description

Cloud Foundry CAPI (Cloud Controller) versions prior to 1.98.0 allow authenticated users having only the “cloud_controller.read” scope, but no roles in any spaces, to list all droplets in all spaces (whereas they should see none).

Affected Cloud Foundry Products and Versions

Severity is low unless otherwise noted.

  • CAPI
    • All versions prior to 1.98.0
  • CF Deployment
    • All versions prior to 13.17.0

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

  • CAPI
    • Upgrade all versions to 1.98.0 or greater
  • CF Deployment
    • Upgrade all versions to 13.17.0 or greater

History

2020-09-01: Initial vulnerability report published

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES