Cloud Foundry Logo
blog single gear
Blog
Security Advisory

CVE-2017-14389: Application Subdomain Takeover via Cloud Foundry Private Domains

by: November 22, 2017

CVE-2017-14389: Application Subdomain Takeover via Cloud Foundry Private Domains

Severity

High

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

  • capi-release
    • All versions prior to 1.45.0
  • cf-release
    • All versions prior to v280
  • cf-deployment
    • All versions prior to v1.0.0

Description

The Cloud Controller does not prevent space developers from creating subdomains to an already existing route that belongs to a different user in a different org and space.

Mitigation

Users of affected versions should apply the following mitigations or upgrades:

  • Releases that have fixed this issue include:
    • capi-release: 1.45.0
    • cf-release: 280
    • cf-deployment: 1.0.0

Credit

This issue was responsibly reported by the GE Digital Security Team.

References

History

2017-11-22: Initial vulnerability report published.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES

You Might Also Like

USN-3161-2: Linux kernel (Xenial HWE) vulnerabilities
Security Advisory

USN-3161-2: Linux kernel (Xenial HWE) vulnerabilities

by Cloud Foundry Foundation Security Team January 31, 2017
CVE-2017-8036: Cloud Controller API regression
Security Advisory

CVE-2017-8036: Cloud Controller API regression

by Cloud Foundry Foundation Security Team July 19, 2017
USN-5993-1: Samba vulnerabilities
Security Advisory

USN-5993-1: Samba vulnerabilities

by Cloud Foundry Foundation Security Team April 24, 2023
This website uses cookies to offer you a better browsing experience. Find out more about how we use cookies and how you can change your settings. Accept