Cloudfoundry Routing Release
By the Year
In 2024 there have been 1 vulnerability in Cloudfoundry Routing Release with an average score of 7.5 out of ten. Last year Routing Release had 2 security vulnerabilities published. Right now, Routing Release is on track to have less security vulnerabilities in 2024 than it did last year. However, the average CVE base score of the vulnerabilities in 2024 is greater by 1.90.
Year | Vulnerabilities | Average Score |
---|---|---|
2024 | 1 | 7.50 |
2023 | 2 | 5.60 |
2022 | 0 | 0.00 |
2021 | 0 | 0.00 |
2020 | 3 | 5.90 |
2019 | 2 | 7.55 |
2018 | 2 | 6.70 |
It may take a day or so for new Routing Release vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Cloudfoundry Routing Release Security Vulnerabilities
Improper handling of requests in Routing Release > v0.273.0 and <= v0.297.0
CVE-2024-22279
7.5 - High
- June 10, 2024
Improper handling of requests in Routing Release > v0.273.0 and <= v0.297.0 allows an unauthenticated attacker to degrade the service availability of the Cloud Foundry deployment if performed at scale.
HTTP Request Smuggling
Cloud foundry routing release versions prior to 0.278.0 are vulnerable to abuse of HTTP Hop-by-Hop Headers
CVE-2023-34041
5.3 - Medium
- September 08, 2023
Cloud foundry routing release versions prior to 0.278.0 are vulnerable to abuse of HTTP Hop-by-Hop Headers. An unauthenticated attacker can use this vulnerability for headers like B3 or X-B3-SpanID to affect the identification value recorded in the logs in foundations.
In Cloud foundry routing release versions
CVE-2023-20882
5.9 - Medium
- May 26, 2023
In Cloud foundry routing release versions from 0.262.0 and prior to 0.266.0,a bug in the gorouter process can lead to a denial of service of applications hosted on Cloud Foundry. Under the right circumstances, when client connections are closed prematurely, gorouter marks the currently selected backend as failed and removes it from the routing pool.
Cloud Foundry Routing (Gorouter), versions prior to 0.204.0, when used in a deployment with NGINX reverse proxies in front of the Gorouters, is potentially vulnerable to denial-of-service attacks in which an unauthenticated malicious attacker can send specially-crafted HTTP requests
CVE-2020-5416
6.5 - Medium
- August 21, 2020
Cloud Foundry Routing (Gorouter), versions prior to 0.204.0, when used in a deployment with NGINX reverse proxies in front of the Gorouters, is potentially vulnerable to denial-of-service attacks in which an unauthenticated malicious attacker can send specially-crafted HTTP requests that may cause the Gorouters to be dropped from the NGINX backend pool.
Improper Resource Shutdown or Release
Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler
CVE-2020-15586
5.9 - Medium
- July 17, 2020
Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.
Race Condition
Cloud Foundry Routing Release, versions prior to 0.197.0, contains GoRouter, which
CVE-2020-5401
5.3 - Medium
- February 27, 2020
Cloud Foundry Routing Release, versions prior to 0.197.0, contains GoRouter, which allows malicious clients to send invalid headers, causing caching layers to reject subsequent legitimate clients trying to access the app.
HTTP Request Smuggling
Cloud Foundry Routing, all versions before 0.193.0, does not properly validate nonce input
CVE-2019-11289
8.6 - High
- November 19, 2019
Cloud Foundry Routing, all versions before 0.193.0, does not properly validate nonce input. A remote unauthenticated malicious user could forge an HTTP route service request using an invalid nonce that will cause the Gorouter to crash.
Improper Input Validation
Cloud Foundry Routing Release, all versions prior to 0.188.0, contains a vulnerability
CVE-2019-3789
6.5 - Medium
- April 24, 2019
Cloud Foundry Routing Release, all versions prior to 0.188.0, contains a vulnerability that can hijack the traffic to route services hosted outside the platform. A user with space developer permissions can create a private domain that shadows the external domain of the route service, and map that route to an app. When the gorouter receives traffic destined for the external route service, this traffic will instead be directed to the internal app using the shadow route.
Permissions, Privileges, and Access Controls
Cloud Foundry routing-release, versions prior to 0.175.0, lacks sanitization for user-provided X-Forwarded-Proto headers
CVE-2018-1193
5.3 - Medium
- May 23, 2018
Cloud Foundry routing-release, versions prior to 0.175.0, lacks sanitization for user-provided X-Forwarded-Proto headers. A remote user can set the X-Forwarded-Proto header in a request to potentially bypass an application requirement to only respond over secure connections.
In cf-deployment before 1.14.0 and routing-release before 0.172.0
CVE-2018-1221
8.1 - High
- March 19, 2018
In cf-deployment before 1.14.0 and routing-release before 0.172.0, the Cloud Foundry Gorouter mishandles WebSocket requests for AWS Application Load Balancers (ALBs) and some other HTTP-aware Load Balancers. A user with developer privileges could use this vulnerability to steal data or cause denial of service.
Improper Input Validation
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Cloudfoundry Routing Release or by Cloudfoundry? Click the Watch button to subscribe.