Routing Release Cloudfoundry Routing Release

Do you want an email whenever new security vulnerabilities are reported in Cloudfoundry Routing Release?

By the Year

In 2024 there have been 1 vulnerability in Cloudfoundry Routing Release with an average score of 7.5 out of ten. Last year Routing Release had 2 security vulnerabilities published. Right now, Routing Release is on track to have less security vulnerabilities in 2024 than it did last year. However, the average CVE base score of the vulnerabilities in 2024 is greater by 1.90.

Year Vulnerabilities Average Score
2024 1 7.50
2023 2 5.60
2022 0 0.00
2021 0 0.00
2020 3 5.90
2019 2 7.55
2018 2 6.70

It may take a day or so for new Routing Release vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Cloudfoundry Routing Release Security Vulnerabilities

Improper handling of requests in Routing Release > v0.273.0 and <= v0.297.0

CVE-2024-22279 7.5 - High - June 10, 2024

Improper handling of requests in Routing Release > v0.273.0 and <= v0.297.0 allows an unauthenticated attacker to degrade the service availability of the Cloud Foundry deployment if performed at scale.

HTTP Request Smuggling

Cloud foundry routing release versions prior to 0.278.0 are vulnerable to abuse of HTTP Hop-by-Hop Headers

CVE-2023-34041 5.3 - Medium - September 08, 2023

Cloud foundry routing release versions prior to 0.278.0 are vulnerable to abuse of HTTP Hop-by-Hop Headers. An unauthenticated attacker can use this vulnerability for headers like B3 or X-B3-SpanID to affect the identification value recorded in the logs in foundations.

In Cloud foundry routing release versions

CVE-2023-20882 5.9 - Medium - May 26, 2023

In Cloud foundry routing release versions from 0.262.0 and prior to 0.266.0,a bug in the gorouter process can lead to a denial of service of applications hosted on Cloud Foundry. Under the right circumstances, when client connections are closed prematurely, gorouter marks the currently selected backend as failed and removes it from the routing pool.

Cloud Foundry Routing (Gorouter), versions prior to 0.204.0, when used in a deployment with NGINX reverse proxies in front of the Gorouters, is potentially vulnerable to denial-of-service attacks in which an unauthenticated malicious attacker can send specially-crafted HTTP requests

CVE-2020-5416 6.5 - Medium - August 21, 2020

Cloud Foundry Routing (Gorouter), versions prior to 0.204.0, when used in a deployment with NGINX reverse proxies in front of the Gorouters, is potentially vulnerable to denial-of-service attacks in which an unauthenticated malicious attacker can send specially-crafted HTTP requests that may cause the Gorouters to be dropped from the NGINX backend pool.

Improper Resource Shutdown or Release

Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler

CVE-2020-15586 5.9 - Medium - July 17, 2020

Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.

Race Condition

Cloud Foundry Routing Release, versions prior to 0.197.0, contains GoRouter, which

CVE-2020-5401 5.3 - Medium - February 27, 2020

Cloud Foundry Routing Release, versions prior to 0.197.0, contains GoRouter, which allows malicious clients to send invalid headers, causing caching layers to reject subsequent legitimate clients trying to access the app.

HTTP Request Smuggling

Cloud Foundry Routing, all versions before 0.193.0, does not properly validate nonce input

CVE-2019-11289 8.6 - High - November 19, 2019

Cloud Foundry Routing, all versions before 0.193.0, does not properly validate nonce input. A remote unauthenticated malicious user could forge an HTTP route service request using an invalid nonce that will cause the Gorouter to crash.

Improper Input Validation

Cloud Foundry Routing Release, all versions prior to 0.188.0, contains a vulnerability

CVE-2019-3789 6.5 - Medium - April 24, 2019

Cloud Foundry Routing Release, all versions prior to 0.188.0, contains a vulnerability that can hijack the traffic to route services hosted outside the platform. A user with space developer permissions can create a private domain that shadows the external domain of the route service, and map that route to an app. When the gorouter receives traffic destined for the external route service, this traffic will instead be directed to the internal app using the shadow route.

Permissions, Privileges, and Access Controls

Cloud Foundry routing-release, versions prior to 0.175.0, lacks sanitization for user-provided X-Forwarded-Proto headers

CVE-2018-1193 5.3 - Medium - May 23, 2018

Cloud Foundry routing-release, versions prior to 0.175.0, lacks sanitization for user-provided X-Forwarded-Proto headers. A remote user can set the X-Forwarded-Proto header in a request to potentially bypass an application requirement to only respond over secure connections.

In cf-deployment before 1.14.0 and routing-release before 0.172.0

CVE-2018-1221 8.1 - High - March 19, 2018

In cf-deployment before 1.14.0 and routing-release before 0.172.0, the Cloud Foundry Gorouter mishandles WebSocket requests for AWS Application Load Balancers (ALBs) and some other HTTP-aware Load Balancers. A user with developer privileges could use this vulnerability to steal data or cause denial of service.

Improper Input Validation

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Cloudfoundry Routing Release or by Cloudfoundry? Click the Watch button to subscribe.

subscribe