Cloud Foundry Logo
blog single gear
Blog
Security Advisory

CVE-2016-8218: Unauthenticated JWT signing algorithm in routing

by: December 9, 2016

CVE-2016-8218: Unauthenticated JWT signing algorithm in routing

Severity

Critical

Vendor

Cloud Foundry Foundation

Versions Affected

  • routing-release versions prior to 0.142.0
  • cf-release versions 203 to 231

Description

Incomplete validation logic in JSON Web Token (JWT) libraries can allow unprivileged attackers to impersonate other users to the routing API.

Mitigation

OSS users of affected routing-release versions are strongly encouraged to:

  • Upgrade routing-release to 0.142.0 or later.

OSS users of cf-release versions 203 to 231 are strongly encouraged to:

  • Upgrade to the latest version of Cloud Foundry. As of this writing, the latest version is v249. [1]

Credit

The issue was responsibly reported by a VMware team member.

References

[1] https://github.com/cloudfoundry/cf-release/releases

History

2016-12-09: Initial vulnerability report published
2016-12-15: Vulnerable software versions updated

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES

You Might Also Like

USN-3690-2: AMD Microcode regression
Security Advisory

USN-3690-2: AMD Microcode regression

by Cloud Foundry Foundation Security Team July 19, 2018
USN-3398-1: graphite2 vulnerabilities
Security Advisory

USN-3398-1: graphite2 vulnerabilities

by Cloud Foundry Foundation Security Team September 21, 2017
USN-3312-2: Linux kernel (Xenial HWE) vulnerabilities
Security Advisory

USN-3312-2: Linux kernel (Xenial HWE) vulnerabilities

by Cloud Foundry Foundation Security Team June 22, 2017
This website uses cookies to offer you a better browsing experience. Find out more about how we use cookies and how you can change your settings. Accept