CVE-2017-8047: Cloud Foundry router open redirect
Severity
High
Vendor
Cloud Foundry Foundation
Affected Cloud Foundry Products and Versions
- routing-release
- All versions prior to v0.163.0
- cf-release
- All versions prior to v274
- Please note: due to a bug in 274, it is not recommended for production use. Deployments should use v275 or later.
- All versions prior to v274
Description
In some applications, it is possible to append a combination of characters to the URL that will allow for an open redirect. An attacker could exploit as a phishing attack to gain access to user credentials or other sensitive data.
Mitigation
Users of affected versions should apply the following mitigations or upgrades:
- Releases that have fixed this issue include:
- routing-release: 0.163.0 [1]
- cf-release: 274 [2]
- Please note: due to a bug in 274, it is not recommended for production use. Deployments should use v275 or later.
References
- [1] https://github.com/cloudfoundry-incubator/routing-release/releases
- [2] https://github.com/cloudfoundry/cf-release/releases
History
2017-09-25: Initial vulnerability report published.
2017-09-26: Note about cf-release v274 added.