Cloud Foundry Logo
blog single gear
Blog
Security Advisory

CVE-2020-5418: Cloud Controller allows users with no roles to list droplets

by: September 1, 2020

Severity

Low

Vendor

Cloud Foundry Foundation

Description

Cloud Foundry CAPI (Cloud Controller) versions prior to 1.98.0 allow authenticated users having only the “cloud_controller.read” scope, but no roles in any spaces, to list all droplets in all spaces (whereas they should see none).

Affected Cloud Foundry Products and Versions

Severity is low unless otherwise noted.

  • CAPI
    • All versions prior to 1.98.0
  • CF Deployment
    • All versions prior to 13.17.0

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

  • CAPI
    • Upgrade all versions to 1.98.0 or greater
  • CF Deployment
    • Upgrade all versions to 13.17.0 or greater

History

2020-09-01: Initial vulnerability report published

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES

You Might Also Like

USN-5378-1: Gzip vulnerability
Security Advisory

USN-5378-1: Gzip vulnerability

by Cloud Foundry Foundation Security Team May 23, 2022
USN-3061-1 OpenSSH vulnerability
Security Advisory

USN-3061-1 OpenSSH vulnerability

by Cloud Foundry Foundation Security Team August 25, 2016
USN-4236-2: Libgcrypt vulnerability
Security Advisory

USN-4236-2: Libgcrypt vulnerability

by Cloud Foundry Foundation Security Team February 5, 2020
This website uses cookies to offer you a better browsing experience. Find out more about how we use cookies and how you can change your settings. Accept