Cf Deployment
CVE-2020-5416
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
Cloud Foundry Routing (Gorouter), versions prior to 0.204.0, when used in a deployment with NGINX reverse proxies in front of the Gorouters, is potentially vulnerable to denial-of-service attacks in which an unauthenticated malicious attacker can send specially-crafted HTTP requests that may cause the Gorouters to be dropped from the NGINX backend pool.
AnalysisAI
Cloud Foundry Routing (Gorouter), versions prior to 0.204.0, when used in a deployment with NGINX reverse proxies in front of the Gorouters, is potentially vulnerable to denial-of-service attacks in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-404. Cloud Foundry Routing (Gorouter), versions prior to 0.204.0, when used in a deployment with NGINX reverse proxies in front of the Gorouters, is potentially vulnerable to denial-of-service attacks in which an unauthenticated malicious attacker can send specially-crafted HTTP requests that may cause the Gorouters to be dropped from the NGINX backend pool. Affected products include: Cloudfoundry Cf-Deployment, Cloudfoundry Routing-Release. Version information: prior to 0.204.0.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Cf Deployment
View allPrivate key disclosure in Cloud Foundry UAA versions v76.12.0 through v78.12.0 allows unauthenticated remote attackers t
Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fet
Adversary-in-the-middle credential theft and privilege escalation affects Cloud Foundry UAA (User Account and Authentica
Authentication bypass in Cloud Foundry UAA (User Account and Authentication) versions 2.0.0 through 78.13.0 allows remot
Cloud Foundry CAPI (Cloud Controller), versions prior to 1.97.0, when used in a deployment where an app domain is also t
In Cloud Foundry UAA, versions prior to 74.14.0, a CSRF vulnerability exists due to the OAuth2 state parameter not being
Cloud Foundry SMB Volume, versions prior to v2.0.3, accidentally outputs sensitive information to the logs. Rated high s
Cloud Foundry Garden-runC, versions prior to 1.11.0, contains an information exposure vulnerability. Rated high severity
In Cloud Controller versions prior to 1.46.0, cf-deployment versions prior to 1.3.0, and cf-release versions prior to 28
Cloud Foundry Routing, all versions before 0.193.0, does not properly validate nonce input. Rated high severity (CVSS 8.
Privilege escalation in Cloud Foundry smb-volume-release (prior to v3.60.0) and CF Deployment (prior to v56.0.0) lets a
Cloud foundry instances having CAPI version between 1.140 and 1.152.0 along with loggregator-agent v7+ may override othe
Same weakness CWE-404 – Improper Resource Shutdown or Release
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today