Vulnerability Name:

CVE-2017-8037 (CCN-130746)

Assigned:2017-08-07
Published:2017-08-07
Updated:2019-03-22
Summary:In Cloud Foundry Foundation CAPI-release versions after v1.6.0 and prior to v1.38.0 and cf-release versions after v244 and prior to v270, there is an incomplete fix for CVE-2017-8035. If you took steps to remediate CVE-2017-8035 you should also upgrade to fix this CVE. A carefully crafted CAPI request from a Space Developer can allow them to gain access to files on the Cloud Controller VM for that installation, aka an Information Leak / Disclosure.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-200
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2017-8037

Source: BID
Type: UNKNOWN
100448

Source: XF
Type: UNKNOWN
cloudfoundry-cve20178037-info-disc(130746)

Source: CCN
Type: Cloud Foundry Web site
CVE-2017-8037: Incomplete fix for Cloud Controller API access to CC VM Contents

Source: CONFIRM
Type: Vendor Advisory
https://www.cloudfoundry.org/cve-2017-8037/

Vulnerable Configuration:Configuration 1:
  • cpe:/a:cloudfoundry:capi-release:1.7.0:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:capi-release:1.8.0:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:capi-release:1.9.0:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:capi-release:1.10.0:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:capi-release:1.11.0:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:capi-release:1.12.0:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:capi-release:1.13.0:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:capi-release:1.14.0:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:capi-release:1.15.0:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:capi-release:1.16.0:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:capi-release:1.17.0:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:capi-release:1.18.0:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:capi-release:1.19.0:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:capi-release:1.20.0:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:capi-release:1.21.0:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:capi-release:1.22.0:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:capi-release:1.23.0:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:capi-release:1.24.0:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:capi-release:1.25.0:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:capi-release:1.26.0:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:capi-release:1.27.0:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:capi-release:1.28.0:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:capi-release:1.29.0:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:capi-release:1.30.0:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:capi-release:1.31.0:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:capi-release:1.32.0:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:capi-release:1.33.0:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:capi-release:1.34.0:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:capi-release:1.35.0:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:capi-release:1.36.0:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:capi-release:1.37.0:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/a:cloudfoundry:cf-release:245:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:cf-release:246:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:cf-release:247:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:cf-release:248:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:cf-release:249:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:cf-release:250:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:cf-release:251:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:cf-release:252:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:cf-release:253:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:cf-release:254:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:cf-release:255:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:cf-release:256:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:cf-release:257:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:cf-release:258:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:cf-release:259:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:cf-release:260:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:cf-release:261:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:cf-release:262:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:cf-release:263:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:cf-release:264:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:cf-release:265:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:cf-release:266:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:cf-release:267:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:cf-release:268:*:*:*:*:*:*:*
  • OR cpe:/a:cloudfoundry:cf-release:269:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    cloudfoundry capi-release 1.7.0
    cloudfoundry capi-release 1.8.0
    cloudfoundry capi-release 1.9.0
    cloudfoundry capi-release 1.10.0
    cloudfoundry capi-release 1.11.0
    cloudfoundry capi-release 1.12.0
    cloudfoundry capi-release 1.13.0
    cloudfoundry capi-release 1.14.0
    cloudfoundry capi-release 1.15.0
    cloudfoundry capi-release 1.16.0
    cloudfoundry capi-release 1.17.0
    cloudfoundry capi-release 1.18.0
    cloudfoundry capi-release 1.19.0
    cloudfoundry capi-release 1.20.0
    cloudfoundry capi-release 1.21.0
    cloudfoundry capi-release 1.22.0
    cloudfoundry capi-release 1.23.0
    cloudfoundry capi-release 1.24.0
    cloudfoundry capi-release 1.25.0
    cloudfoundry capi-release 1.26.0
    cloudfoundry capi-release 1.27.0
    cloudfoundry capi-release 1.28.0
    cloudfoundry capi-release 1.29.0
    cloudfoundry capi-release 1.30.0
    cloudfoundry capi-release 1.31.0
    cloudfoundry capi-release 1.32.0
    cloudfoundry capi-release 1.33.0
    cloudfoundry capi-release 1.34.0
    cloudfoundry capi-release 1.35.0
    cloudfoundry capi-release 1.36.0
    cloudfoundry capi-release 1.37.0
    cloudfoundry cf-release 245
    cloudfoundry cf-release 246
    cloudfoundry cf-release 247
    cloudfoundry cf-release 248
    cloudfoundry cf-release 249
    cloudfoundry cf-release 250
    cloudfoundry cf-release 251
    cloudfoundry cf-release 252
    cloudfoundry cf-release 253
    cloudfoundry cf-release 254
    cloudfoundry cf-release 255
    cloudfoundry cf-release 256
    cloudfoundry cf-release 257
    cloudfoundry cf-release 258
    cloudfoundry cf-release 259
    cloudfoundry cf-release 260
    cloudfoundry cf-release 261
    cloudfoundry cf-release 262
    cloudfoundry cf-release 263
    cloudfoundry cf-release 264
    cloudfoundry cf-release 265
    cloudfoundry cf-release 266
    cloudfoundry cf-release 267
    cloudfoundry cf-release 268
    cloudfoundry cf-release 269