Cloud Foundry Logo
blog single gear
Security Advisory

CVE-2018-1266: Cloud Controller file modification via malicious application

CVE-2018-1266: Cloud Controller file modification via malicious application

Severity

Critical

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

  • You are using Cloud Controller version prior to 1.52.0
  • You are using cf-deployment version prior to 1.21.0

Description

Cloud Foundry Cloud Controller, versions prior to 1.52.0, contains information disclosure and path traversal vulnerabilities. An authenticated malicious user can predict the location of application blobs and leverage path traversal to create a malicious application that has the ability to overwrite arbitrary files on the Cloud Controller instance.

Mitigation

Users of affected versions should apply the following mitigations or upgrades:

  • Releases that have fixed this issue include:
    • Cloud Controller 1.52.0
    • cf-deployment 1.21.0

Credit

This issue was responsibly reported by the GE Digital Security Team.

History

2018-03-26: Clarified issue description

2018-03-26: Initial vulnerability report published.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES