Cloud Foundry Logo
blog single gear
Security Advisory

CVE-2020-5423: Cloud Controller is vulnerable to denial of service via YAML parsing

Severity

High

Vendor

Cloud Foundry Foundation

Description

CAPI (Cloud Controller) versions prior to 1.101.0 are vulnerable to a denial-of-service attack in which an unauthenticated malicious attacker can send specially-crafted YAML files to certain endpoints, causing the YAML parser to consume excessive CPU and RAM.

Affected Cloud Foundry Products and Versions

Severity is high unless otherwise noted.

  • CAPI
    • All versions prior to 1.101.0
  • CF Deployment
    • All versions prior to 15.0.0

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

  • CAPI
    • Upgrade All versions to 1.101.0 or greater
  • CF Deployment
    • Upgrade All versions to 15.0.0 or greater

History

2020-12-01: Initial vulnerability report published.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES