CVE-2017-8034

Published: Jul 17, 2017Modified: May 13, 2026

6.6

Vector

CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 0.7 / Impact: 5.9

Source: NVD

Description

The Cloud Controller and Router in Cloud Foundry (CAPI-release capi versions prior to v1.32.0, Routing-release versions prior to v0.159.0, CF-release versions prior to v267) do not validate the issuer on JSON Web Tokens (JWTs) from UAA. With certain multi-zone UAA configurations, zone administrators are able to escalate their privileges.

Affected (3)

Products: Cloudfoundry: Capi Release, Cf Release, Routing Release

3 products

Routing Release

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Cloudfoundry Capi Release	Up to 1.31.0
Cloudfoundry Cf Release	Up to 266
Cloudfoundry Routing Release	Up to 0.158.0

Related CWEs

Reliance on Cookies without Validation and Integrity Checking

The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.

References (2)

https://www.cloudfoundry.org/cve-2017-8034/

Source: security_alert@emc.com

Vendor Advisory

https://www.cloudfoundry.org/cve-2017-8034/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.