CVE-2018-1266: Cloud Controller file modification via malicious application

Severity

Critical

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

You are using Cloud Controller version prior to 1.52.0
You are using cf-deployment version prior to 1.21.0

Description

Cloud Foundry Cloud Controller, versions prior to 1.52.0, contains information disclosure and path traversal vulnerabilities. An authenticated malicious user can predict the location of application blobs and leverage path traversal to create a malicious application that has the ability to overwrite arbitrary files on the Cloud Controller instance.

Mitigation

Users of affected versions should apply the following mitigations or upgrades:

Releases that have fixed this issue include:
- Cloud Controller 1.52.0
- cf-deployment 1.21.0

Credit

This issue was responsibly reported by the GE Digital Security Team.

History

2018-03-26: Clarified issue description

2018-03-26: Initial vulnerability report published.

CVE-2018-1266: Cloud Controller file modification via malicious application

CVE-2018-1266: Cloud Controller file modification via malicious application

Severity

Vendor

Affected Cloud Foundry Products and Versions

Description

Mitigation

Credit

History

You Might Also Like

USN-5702-1: curl vulnerabilities

USN-3848-2: Linux kernel (Xenial HWE) vulnerabilities

USN-4142-1: e2fsprogs vulnerability

Sign up for the Cloud Foundry Newsletter today!

Sign up for the
Cloud Foundry Newsletter today!