CVSS: 6.8EPSS: 0%CPEs: 5EXPL: 0CVE-2018-1268
https://notcve.org/view.php?id=CVE-2018-1268
06 Jun 2018 — Cloud Foundry Loggregator, versions 89.x prior to 89.5 or 96.x prior to 96.1 or 99.x prior to 99.1 or 101.x prior to 101.9 or 102.x prior to 102.2, does not validate app GUID structure in requests. A remote authenticated malicious user knowing the GUID of an app may construct malicious requests to read from or write to the logs of that app. Cloud Foundry Loggregator, en versiones 89.x anteriores a la 89.5, versiones 96.x anteriores a la 96.1, versiones 99.x anteriores a la 99.1, versiones 101.x anteriores a... • https://www.cloudfoundry.org/blog/cve-2018-1268 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2018-1193
https://notcve.org/view.php?id=CVE-2018-1193
23 May 2018 — Cloud Foundry routing-release, versions prior to 0.175.0, lacks sanitization for user-provided X-Forwarded-Proto headers. A remote user can set the X-Forwarded-Proto header in a request to potentially bypass an application requirement to only respond over secure connections. Cloud Foundry routing-release, en versiones anteriores a la 0.175.0, carece de saneamiento para cabeceras X-Forwarded-Proto proporcionadas por el usuario. Un usuario remoto puede establecer la cabecera X-Forwarded-Proto en una petición ... • https://www.cloudfoundry.org/blog/cve-2018-1193 •
CVSS: 7.2EPSS: 0%CPEs: 12EXPL: 0CVE-2018-1262
https://notcve.org/view.php?id=CVE-2018-1262
15 May 2018 — Cloud Foundry Foundation UAA, versions 4.12.X and 4.13.X, introduced a feature which could allow privilege escalation across identity zones for clients performing offline validation. A zone administrator could configure their zone to issue tokens which impersonate another zone, granting up to admin privileges in the impersonated zone for clients performing offline token validation. Cloud Foundry Foundation UAA, en versiones 4.12.X y 4.13.X, introdujo una característica que podría permitir el escalado de pri... • https://www.cloudfoundry.org/blog/cve-2018-1262 •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-1277
https://notcve.org/view.php?id=CVE-2018-1277
30 Apr 2018 — Cloud Foundry Garden-runC, versions prior to 1.13.0, does not correctly enforce disc quotas for Docker image layers. A remote authenticated user may push an app with a malicious Docker image that will consume more space on a Diego cell than allocated in their quota, potentially causing a DoS against the cell. Cloud Foundry Garden-runC, en versiones anteriores a la 1.13.0, no aplica correctamente las cuotas de disco para las capas de imagen Docker. Un usuario autenticado remoto podría insertar una aplicación... • https://www.cloudfoundry.org/blog/cve-2018-1277 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2016-2169
https://notcve.org/view.php?id=CVE-2016-2169
18 Apr 2018 — Cloud Foundry Cloud Controller, capi-release versions prior to 1.0.0 and cf-release versions prior to v237, contain a business logic flaw. An application developer may create an application with a route that conflicts with a platform service route and receive traffic intended for the service. Cloud Foundry Cloud Controller, capi-release en versiones anteriores a la 1.0.0 y cf-release en versiones anteriores a la v237, contienen un error de lógica de negocio. Un desarrollador de aplicaciones puede crear una ... • https://github.com/cloudfoundry/cloud_controller_ng/issues/568 • CWE-17: DEPRECATED: Code •
CVSS: 9.6EPSS: 0%CPEs: 4EXPL: 0CVE-2016-6658
https://notcve.org/view.php?id=CVE-2016-6658
29 Mar 2018 — Applications in cf-release before 245 can be configured and pushed with a user-provided custom buildpack using a URL pointing to the buildpack. Although it is not recommended, a user can specify a credential in the URL (basic auth or OAuth) to access the buildpack through the CLI. For example, the user could include a GitHub username and password in the URL to access a private repo. Because the URL to access the buildpack is stored unencrypted, an operator with privileged access to the Cloud Controller data... • https://pivotal.io/security/cve-2016-6658 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-1191
https://notcve.org/view.php?id=CVE-2018-1191
29 Mar 2018 — Cloud Foundry Garden-runC, versions prior to 1.11.0, contains an information exposure vulnerability. A user with access to Garden logs may be able to obtain leaked credentials and perform authenticated actions using those credentials. Cloud Foundry Garden-runC, en versiones anteriores a la 1.11.0, contiene una vulnerabilidad de exposición de información. Un usuario con acceso a los registros de Garden podría ser capaz de obtener credenciales filtradas y realizar acciones autenticadas mediante el uso de esas... • https://www.cloudfoundry.org/blog/cve-2018-1191 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-215: Insertion of Sensitive Information Into Debugging Code •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1266
https://notcve.org/view.php?id=CVE-2018-1266
27 Mar 2018 — Cloud Foundry Cloud Controller, versions prior to 1.52.0, contains information disclosure and path traversal vulnerabilities. An authenticated malicious user can predict the location of application blobs and leverage path traversal to create a malicious application that has the ability to overwrite arbitrary files on the Cloud Controller instance. Cloud Foundry Cloud Controller, en versiones anteriores a la 1.52.0, contiene vulnerabilidades de revelación de información y salto de directorio. Un usuario mali... • https://www.cloudfoundry.org/blog/cve-2018-1266 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-330: Use of Insufficiently Random Values •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1267
https://notcve.org/view.php?id=CVE-2018-1267
27 Mar 2018 — Cloud Foundry Silk CNI plugin, versions prior to 0.2.0, contains an improper access control vulnerability. If the platform is configured with an application security group (ASG) that overlaps with the Silk overlay network, any applications can reach any other application on the network regardless of the configured routing policies. El plugin Cloud Foundry Silk CNI, en versiones anteriores a la 0.2.0, contiene una vulnerabilidad de control de acceso incorrecto. Si la plataforma está configurada con un grupo ... • https://www.cloudfoundry.org/blog/cve-2018-1267 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1195
https://notcve.org/view.php?id=CVE-2018-1195
19 Mar 2018 — In Cloud Controller versions prior to 1.46.0, cf-deployment versions prior to 1.3.0, and cf-release versions prior to 283, Cloud Controller accepts refresh tokens for authentication where access tokens are expected. This exposes a vulnerability where a refresh token that would otherwise be insufficient to obtain an access token, either due to lack of client credentials or revocation, would allow authentication. En Cloud Controller, en versiones anteriores a la 1.46.0, versiones cf-deployment anteriores a la... • https://www.cloudfoundry.org/blog/cve-2018-1195 • CWE-613: Insufficient Session Expiration •