CVE-2020-5418: Cloud Controller allows users with no roles to list droplets
First published: Thu Sep 03 2020(Updated: )
Cloud Foundry CAPI (Cloud Controller) versions prior to 1.98.0 allow authenticated users having only the "cloud_controller.read" scope, but no roles in any spaces, to list all droplets in all spaces (whereas they should see none).
Credit: security@pivotal.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cloudfoundry Capi-release | <1.98.0 | |
| Cloudfoundry Cf-deployment | <13.17.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-5418?
CVE-2020-5418 is a vulnerability in Cloud Foundry CAPI (Cloud Controller) versions prior to 1.98.0.
How does CVE-2020-5418 affect Cloud Foundry CAPI?
CVE-2020-5418 allows authenticated users with only the "cloud_controller.read" scope to list all droplets in all spaces, even if they have no roles in those spaces.
What is the severity of CVE-2020-5418?
CVE-2020-5418 has a severity rating of medium with a value of 4.3.
Which software versions are affected by CVE-2020-5418?
Cloud Foundry CAPI versions prior to 1.98.0 and Cloud Foundry cf-deployment versions up to exclusive 13.17.0 are affected.
How can I fix CVE-2020-5418?
To fix CVE-2020-5418, upgrade Cloud Foundry CAPI to version 1.98.0 or higher.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/references
- agent/author
- agent/title
- agent/weakness
- agent/tags
- agent/event
- agent/first-publish-date
- agent/description
- vendor/cloudfoundry
- canonical/cloudfoundry capi-release
- canonical/cloudfoundry cf-deployment