Cloud Foundry Logo
blog single gear
Security Advisory

CVE-2017-8047: Cloud Foundry router open redirect

CVE-2017-8047: Cloud Foundry router open redirect

Severity

High

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

  • routing-release
    • All versions prior to v0.163.0
  • cf-release
    • All versions prior to v274
      • Please note: due to a bug in 274, it is not recommended for production use. Deployments should use v275 or later.

Description

In some applications, it is possible to append a combination of characters to the URL that will allow for an open redirect. An attacker could exploit as a phishing attack to gain access to user credentials or other sensitive data.

Mitigation

Users of affected versions should apply the following mitigations or upgrades:

  • Releases that have fixed this issue include:
    • routing-release: 0.163.0 [1]
    • cf-release: 274 [2]
      • Please note: due to a bug in 274, it is not recommended for production use. Deployments should use v275 or later.

References

History

2017-09-25: Initial vulnerability report published.

2017-09-26: Note about cf-release v274 added.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES