Vulnerabilities > Cloudfoundry > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-07-17 | CVE-2020-15586 | Race Condition vulnerability in multiple products Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time. | 5.9 |
| 2020-02-27 | CVE-2020-5402 | Cross-Site Request Forgery (CSRF) vulnerability in Cloudfoundry Cf-Deployment In Cloud Foundry UAA, versions prior to 74.14.0, a CSRF vulnerability exists due to the OAuth2 state parameter not being checked in the callback function when authenticating with external identity providers. | 6.8 |
| 2020-02-27 | CVE-2020-5401 | HTTP Request Smuggling vulnerability in Cloudfoundry Routing Release Cloud Foundry Routing Release, versions prior to 0.197.0, contains GoRouter, which allows malicious clients to send invalid headers, causing caching layers to reject subsequent legitimate clients trying to access the app. | 5.0 |
| 2020-02-27 | CVE-2020-5400 | Information Exposure Through Log Files vulnerability in Cloudfoundry Cf-Deployment Cloud Foundry Cloud Controller (CAPI), versions prior to 1.91.0, logs properties of background jobs when they are run, which may include sensitive information such as credentials if provided to the job. | 4.0 |
| 2020-02-12 | CVE-2020-5399 | Cleartext Transmission of Sensitive Information vulnerability in multiple products Cloud Foundry CredHub, versions prior to 2.5.10, connects to a MySQL database without TLS even when configured to use TLS. | 5.8 |
| 2019-12-19 | CVE-2019-11294 | Incorrect Authorization vulnerability in Cloudfoundry Cf-Deployment Cloud Foundry Cloud Controller API (CAPI), version 1.88.0, allows space developers to list all global service brokers, including service broker URLs and GUIDs, which should only be accessible to admins. | 4.0 |
| 2019-10-23 | CVE-2019-11283 | Information Exposure Through Log Files vulnerability in multiple products Cloud Foundry SMB Volume, versions prior to v2.0.3, accidentally outputs sensitive information to the logs. | 4.0 |
| 2019-10-23 | CVE-2019-11282 | Injection vulnerability in multiple products Cloud Foundry UAA, versions prior to v74.3.0, contains an endpoint that is vulnerable to SCIM injection attack. | 4.0 |
| 2019-09-26 | CVE-2019-11279 | Improper Privilege Management vulnerability in Cloudfoundry UAA Release CF UAA versions prior to 74.1.0 can request scopes for a client that shouldn't be allowed by submitting an array of requested scopes. | 6.5 |
| 2019-09-23 | CVE-2019-11277 | Injection vulnerability in Cloudfoundry Cf-Deployment Cloud Foundry NFS Volume Service, 1.7.x versions prior to 1.7.11 and 2.x versions prior to 2.3.0, is vulnerable to LDAP injection. | 5.5 |