Skip to main content

Cf Deployment CVE-2024-22279

HIGH
HTTP Request/Response Smuggling (CWE-444)
2024-06-10 security@vmware.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
CVE Published
Jun 10, 2024 - 20:15 nvd
HIGH 7.5

DescriptionNVD

Improper handling of requests in Routing Release > v0.273.0 and <= v0.297.0 allows an unauthenticated attacker to degrade the service availability of the Cloud Foundry deployment if performed at scale.

AnalysisAI

Improper handling of requests in Routing Release > v0.273.0 and <= v0.297.0 allows an unauthenticated attacker to degrade the service availability of the Cloud Foundry deployment if performed at. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as HTTP Request/Response Smuggling (CWE-444), which allows attackers to manipulate HTTP request interpretation between frontend and backend servers. Improper handling of requests in Routing Release > v0.273.0 and <= v0.297.0 allows an unauthenticated attacker to degrade the service availability of the Cloud Foundry deployment if performed at scale. Affected products include: Cloudfoundry Cf-Deployment, Cloudfoundry Routing Release.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Enforce strict HTTP parsing, normalize requests at proxy layer, use HTTP/2 end-to-end, reject ambiguous headers.

CVE-2026-40965 CRITICAL
10.0 Jun 01

Private key disclosure in Cloud Foundry UAA versions v76.12.0 through v78.12.0 allows unauthenticated remote attackers t

CVE-2019-3801 CRITICAL
9.8 Apr 25

Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fet

CVE-2026-47840 CRITICAL
9.3 Jul 09

Adversary-in-the-middle credential theft and privilege escalation affects Cloud Foundry UAA (User Account and Authentica

CVE-2026-41005 CRITICAL
9.0 Jun 11

Authentication bypass in Cloud Foundry UAA (User Account and Authentication) versions 2.0.0 through 78.13.0 allows remot

CVE-2020-5417 HIGH
8.8 Aug 21

Cloud Foundry CAPI (Cloud Controller), versions prior to 1.97.0, when used in a deployment where an app domain is also t

CVE-2020-5402 HIGH
8.8 Feb 27

In Cloud Foundry UAA, versions prior to 74.14.0, a CSRF vulnerability exists due to the OAuth2 state parameter not being

CVE-2019-11283 HIGH
8.8 Oct 23

Cloud Foundry SMB Volume, versions prior to v2.0.3, accidentally outputs sensitive information to the logs. Rated high s

CVE-2018-1191 HIGH
8.8 Mar 29

Cloud Foundry Garden-runC, versions prior to 1.11.0, contains an information exposure vulnerability. Rated high severity

CVE-2018-1195 HIGH
8.8 Mar 19

In Cloud Controller versions prior to 1.46.0, cf-deployment versions prior to 1.3.0, and cf-release versions prior to 28

CVE-2019-11289 HIGH
8.6 Nov 19

Cloud Foundry Routing, all versions before 0.193.0, does not properly validate nonce input. Rated high severity (CVSS 8.

CVE-2026-41013 HIGH
8.1 Jun 01

Privilege escalation in Cloud Foundry smb-volume-release (prior to v3.60.0) and CF Deployment (prior to v56.0.0) lets a

CVE-2023-20881 HIGH
8.1 May 19

Cloud foundry instances having CAPI version between 1.140 and 1.152.0 along with loggregator-agent v7+ may override othe

Share

CVE-2024-22279 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy