Cloud Foundry Logo
blog single gear
Blog
Security Advisory

CVE-2017-14389: Application Subdomain Takeover via Cloud Foundry Private Domains

by: November 22, 2017

CVE-2017-14389: Application Subdomain Takeover via Cloud Foundry Private Domains

Severity

High

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

  • capi-release
    • All versions prior to 1.45.0
  • cf-release
    • All versions prior to v280
  • cf-deployment
    • All versions prior to v1.0.0

Description

The Cloud Controller does not prevent space developers from creating subdomains to an already existing route that belongs to a different user in a different org and space.

Mitigation

Users of affected versions should apply the following mitigations or upgrades:

  • Releases that have fixed this issue include:
    • capi-release: 1.45.0
    • cf-release: 280
    • cf-deployment: 1.0.0

Credit

This issue was responsibly reported by the GE Digital Security Team.

References

History

2017-11-22: Initial vulnerability report published.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES

You Might Also Like

USN-3263-1: FreeType vulnerability
Security Advisory

USN-3263-1: FreeType vulnerability

by Cloud Foundry Foundation Security Team May 1, 2017
USN-3910-2: Linux kernel (Xenial HWE) vulnerabilities
Security Advisory

USN-3910-2: Linux kernel (Xenial HWE) vulnerabilities

by Cloud Foundry Foundation Security Team April 12, 2019
CVE-2024-22279 – GoRouter Denial of Service Attack
Security Advisory

CVE-2024-22279 – GoRouter Denial of Service Attack

by Cloud Foundry Foundation Security Team June 5, 2024
This website uses cookies to offer you a better browsing experience. Find out more about how we use cookies and how you can change your settings. Accept