#VU46181 Incorrect permission assignment for critical resource in Cloud Controller and CF Deployment - CVE-2020-5417

Cybersecurity Help s.r.o.

Published: 2020-09-01

Vulnerability identifier: #VU46181

Vulnerability risk: Medium

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-5417

CWE-ID: CWE-732

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Cloud Controller
Web applications / Modules and components for CMS
CF Deployment
Server applications / Frameworks for developing and running applications

Vendor: Cloud Foundry Foundation

Description

The vulnerability allows a remote attacker to compromise the sysem.

The vulnerability exists when the affected software is used in a deployment where an app domain is also the system domain. A remote authenticated attacker can claim certain sensitive routes, potentially resulting in the developer’s app handling some requests that were expected to go to certain system components.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Cloud Controller: before 1.97.0

CF Deployment: 0.0.0 - 13.11.0

External links
https://www.cloudfoundry.org/blog/cve-2020-5417

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in VMware Tanzu Application Service for VMs

Incorrect permission assignment for critical resource in Cloud Foundry Foundation CAPI and CF Deployment