Incorrect permission assignment for critical resource in Cloud Foundry Foundation CAPI and CF Deployment
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2020-5417 |
| CWE-ID | CWE-732 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Cloud Controller Web applications / Modules and components for CMS CF Deployment Server applications / Frameworks for developing and running applications |
| Vendor | Cloud Foundry Foundation |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Incorrect permission assignment for critical resource
EUVDB-ID: #VU46181
Risk: Medium
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-5417
CWE-ID:
CWE-732 - Incorrect Permission Assignment for Critical Resource
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the sysem.
The vulnerability exists when the affected software is used in a deployment where an app domain is also the system domain. A remote authenticated attacker can claim certain sensitive routes, potentially resulting in the developer’s app handling some requests that were expected to go to certain system components.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCloud Controller: before 1.97.0
CF Deployment: 0.0.0 - 13.11.0
CPE2.3- cpe:2.3:a:cloud_foundry_foundation:CAPI:*:*:*:*:*:*:*:*
- cpe:2.3:a:cloud_foundry_foundation:cf_deployment:0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:cloud_foundry_foundation:cf_deployment:0.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:cloud_foundry_foundation:cf_deployment:0.0.2:*:*:*:*:*:*:*
https://www.cloudfoundry.org/blog/cve-2020-5417
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
