Cloudfoundry Cf-deployment — known CVE vulnerabilities
Every CVE whose affected-product data names Cloudfoundry Cf-deployment, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (37)
CVE-2019-3801 — CVSS 9.8 (critical): Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies…
CVE-2022-31733 — CVSS 9.1 (critical): Starting with diego-release 2.55.0 and up to 2.69.0, and starting with CF Deployment 17.1 and up to 23.2.0, apps are accessible via another…
CVE-2018-1195 — CVSS 8.8 (high): In Cloud Controller versions prior to 1.46.0, cf-deployment versions prior to 1.3.0, and cf-release versions prior to 283, Cloud Controller…
CVE-2020-5417 — CVSS 8.8 (high): Cloud Foundry CAPI (Cloud Controller), versions prior to 1.97.0, when used in a deployment where an app domain is also the system domain…
CVE-2018-1191 — CVSS 8.8 (high): Cloud Foundry Garden-runC, versions prior to 1.11.0, contains an information exposure vulnerability. A user with access to Garden logs may…
CVE-2019-11283 — CVSS 8.8 (high): Cloud Foundry SMB Volume, versions prior to v2.0.3, accidentally outputs sensitive information to the logs. A remote user with access to…
CVE-2020-5402 — CVSS 8.8 (high): In Cloud Foundry UAA, versions prior to 74.14.0, a CSRF vulnerability exists due to the OAuth2 state parameter not being checked in the…
CVE-2019-11289 — CVSS 8.6 (high): Cloud Foundry Routing, all versions before 0.193.0, does not properly validate nonce input. A remote unauthenticated malicious user could…
CVE-2018-1221 — CVSS 8.1 (high): In cf-deployment before 1.14.0 and routing-release before 0.172.0, the Cloud Foundry Gorouter mishandles WebSocket requests for AWS…
CVE-2023-20881 — CVSS 8.1 (high): Cloud foundry instances having CAPI version between 1.140 and 1.152.0 along with loggregator-agent v7+ may override other users syslog…
CVE-2019-11277 — CVSS 8.1 (high): Cloud Foundry NFS Volume Service, 1.7.x versions prior to 1.7.11 and 2.x versions prior to 2.3.0, is vulnerable to LDAP injection. A remote…
CVE-2020-5420 — CVSS 7.7 (high): Cloud Foundry Routing (Gorouter) versions prior to 0.206.0 allow a malicious developer with "cf push" access to cause denial-of-service to…
CVE-2019-11290 — CVSS 7.5 (high): Cloud Foundry UAA Release, versions prior to v74.8.0, logs all query parameters to tomcat’s access file. If the query parameters are used…
CVE-2020-5423 — CVSS 7.5 (high): CAPI (Cloud Controller) versions prior to 1.101.0 are vulnerable to a denial-of-service attack in which an unauthenticated malicious…
CVE-2021-22001 — CVSS 7.5 (high): In UAA versions prior to 75.3.0, sensitive information like relaying secret of the provider was revealed in response when deletion request…
CVE-2021-22101 — CVSS 7.5 (high): Cloud Controller versions prior to 1.118.0 are vulnerable to unauthenticated denial of Service(DoS) vulnerability allowing unauthenticated…
CVE-2018-1262 — CVSS 7.2 (high): Cloud Foundry Foundation UAA, versions 4.12.X and 4.13.X, introduced a feature which could allow privilege escalation across identity zones…
CVE-2018-1265 — CVSS 7.2 (high): Cloud Foundry Diego, release versions prior to 2.8.0, does not properly sanitize file paths in tar and zip files headers. A remote attacker…
CVE-2017-14389 — CVSS 6.5 (medium): An issue was discovered in Cloud Foundry Foundation capi-release (all versions prior to 1.45.0), cf-release (all versions prior to v280)…
CVE-2018-1277 — CVSS 6.5 (medium): Cloud Foundry Garden-runC, versions prior to 1.13.0, does not correctly enforce disc quotas for Docker image layers. A remote authenticated…
CVE-2019-11293 — CVSS 6.5 (medium): Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs client_secret credentials when sent as a query…
CVE-2020-5400 — CVSS 6.5 (medium): Cloud Foundry Cloud Controller (CAPI), versions prior to 1.91.0, logs properties of background jobs when they are run, which may include…
CVE-2020-5416 — CVSS 6.5 (medium): Cloud Foundry Routing (Gorouter), versions prior to 0.204.0, when used in a deployment with NGINX reverse proxies in front of the…
CVE-2021-22115 — CVSS 6.5 (medium): Cloud Controller API versions prior to 1.106.0 logs service broker credentials if the default value of db logging config field is changed…
CVE-2026-22723 — CVSS 6.5 (medium): Inappropriate user token revocation due to a logic error in the token revocation endpoint implementation in Cloudfoundry UAA v77.30.0 to…
CVE-2021-22098 — CVSS 6.1 (medium): UAA server versions prior to 75.4.0 are vulnerable to an open redirect vulnerability. A malicious user can exploit the open redirect…
CVE-2020-15586 — CVSS 5.9 (medium): Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler…
CVE-2023-20882 — CVSS 5.9 (medium): In Cloud foundry routing release versions from 0.262.0 and prior to 0.266.0,a bug in the gorouter process can lead to a denial of service…
CVE-2024-22279 — CVSS 5.9 (medium): Improper handling of requests in Routing Release > v0.273.0 and <= v0.297.0 allows an unauthenticated attacker to degrade the service…
CVE-2023-34041 — CVSS 5.3 (medium): Cloud foundry routing release versions prior to 0.278.0 are vulnerable to abuse of HTTP Hop-by-Hop Headers. An unauthenticated attacker can…
CVE-2018-1193 — CVSS 5.3 (medium): Cloud Foundry routing-release, versions prior to 0.175.0, lacks sanitization for user-provided X-Forwarded-Proto headers. A remote user can…
CVE-2021-22100 — CVSS 5.3 (medium): In cloud foundry CAPI versions prior to 1.122, a denial-of-service attack in which a developer can push a service broker that (accidentally…
CVE-2026-22726 — CVSS 5.0 (medium): Route Services can be leveraged to send app traffic to network destinations outside of an app's configured egress rules. As a result, a…
CVE-2020-5418 — CVSS 4.3 (medium): Cloud Foundry CAPI (Cloud Controller) versions prior to 1.98.0 allow authenticated users having only the "cloud_controller.read" scope, but…
CVE-2019-11294 — CVSS 4.3 (medium): Cloud Foundry Cloud Controller API (CAPI), version 1.88.0, allows space developers to list all global service brokers, including service…
CVE-2019-11282 — CVSS 4.3 (medium): Cloud Foundry UAA, versions prior to v74.3.0, contains an endpoint that is vulnerable to SCIM injection attack. A remote authenticated…
CVE-2025-22246 — CVSS 3.0 (low): Cloud Foundry UAA release versions from v77.21.0 to v7.31.0 are vulnerable to a private key exposure in logs.