First published: Thu Sep 03 2020(Updated: )
Cloud Foundry CAPI (Cloud Controller) versions prior to 1.98.0 allow authenticated users having only the "cloud_controller.read" scope, but no roles in any spaces, to list all droplets in all spaces (whereas they should see none).
Credit: security@pivotal.io
Affected Software | Affected Version | How to fix |
---|---|---|
Cloudfoundry Capi-release | <1.98.0 | |
Cloudfoundry Cf-deployment | <13.17.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-5418 is a vulnerability in Cloud Foundry CAPI (Cloud Controller) versions prior to 1.98.0.
CVE-2020-5418 allows authenticated users with only the "cloud_controller.read" scope to list all droplets in all spaces, even if they have no roles in those spaces.
CVE-2020-5418 has a severity rating of medium with a value of 4.3.
Cloud Foundry CAPI versions prior to 1.98.0 and Cloud Foundry cf-deployment versions up to exclusive 13.17.0 are affected.
To fix CVE-2020-5418, upgrade Cloud Foundry CAPI to version 1.98.0 or higher.