Cloud Foundry Logo
blog single gear
Blog
Security Advisory

CVE-2017-8034: JWT issuer validation in multiple CF components

by: July 13, 2017

CVE-2017-8034: JWT issuer validation in multiple CF components

Severity

High

Vendor

Cloud Foundry Foundation

Versions Affected

  • CAPI-release capi versions prior to v1.32.0
  • Routing-release versions prior to v0.159.0
  • CF-release versions prior to v267

Description

The Cloud Controller and Router in Cloud Foundry do not validate the issuer on JSON Web Tokens (JWTs) from UAA. With certain multi-zone UAA configurations, zone administrators are able to escalate their privileges.

Mitigation

Users of affected versions should apply the following mitigation or upgrade:

  • Upgrade to Cloud Foundry v267 [1] or later
  • For standalone component users:
    • Upgrade to CAPI-release v1.32.0 [2] or later
    • Upgrade to Routing-release v0.159.0 [3] or later

Credit

This vulnerability was responsibly reported by the Cloud Foundry UAA team.

References

History

2017-07-13: Initial vulnerability report published

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES

You Might Also Like

USN-6238-1: Samba vulnerabilities
Security Advisory

USN-6238-1: Samba vulnerabilities

by Cloud Foundry Foundation Security Team August 10, 2023
CVE-2019-11293: UAA logs all query parameters with debug logging level
Security Advisory

CVE-2019-11293: UAA logs all query parameters with debug logging level

by Cloud Foundry Foundation Security Team December 3, 2019
USN-3586-1: DHCP vulnerabilities
Security Advisory

USN-3586-1: DHCP vulnerabilities

by Cloud Foundry Foundation Security Team May 2, 2018
This website uses cookies to offer you a better browsing experience. Find out more about how we use cookies and how you can change your settings. Accept