cf-dev@lists.cloudfoundry.org | CVE-2015-1834 CC Path Traversal vulnerability

Home Messages Hashtags Subgroups

Date Date 1 - 4 of 4

CVE-2015-1834 CC Path Traversal vulnerability

James Bayer #196 Severity: Medium Vendor: Cloud Foundry Foundation Vulnerable Versions: Cloud Foundry Runtime Releases prior to 208 CVE References: CVE-2015-1834 Description: A path traversal vulnerability was identified in the Cloud Foundry component Cloud Controller. Path traversal is the "outbreak" of a given directory structure through relative file paths in the user input. It aims at accessing files and directories that are stored outside the web root folder, for disallowed reading or even executing arbitrary system commands. An attacker could use a certain parameter of the file path for instance to inject "../" sequences in order to navigate through the file system. In this particular case a remote authenticated attacker can exploit the identified vulnerability in order to upload arbitrary files to the server running a Cloud Controller instance – outside the isolated application container. Affected Products and Versions: Cloud Foundry Runtime cf-release versions v207 or earlier are susceptible to the vulnerability Mitigation: The Cloud Foundry project recommends that Cloud Foundry Runtime Deployments running Release v207 or earlier upgrade to v208 or later. Credit: This issue was identified by Swisscom / SEC Consult -- Thank you, James Bayer attachment.html attachment.html
More All Messages By This Member
Noburou TANIGUCHI #206 I understand the CFF strongly recommends to upgrade to v208 or after, but for those (including us) who cannot immediately upgrade, I want to know if there is a workaround against this vulnerability. I've found that there is a commit which seems related this vulnerability: https://github.com/cloudfoundry/cloud_controller_ng/commit/5257a8af6990e71cd1e34ae8978dfe4773b32826 Cherry-picking this commit may be a workaround? Or we need another commits to cherry-pick? Thanks in advance. -- View this message in context: http://cf-dev.70369.x6.nabble.com/cf-dev-CVE-2015-1834-CC-Path-Traversal-vulnerability-tp163p173.html Sent from the CF Dev mailing list archive at Nabble.com.
More All Messages By This Member
Dieu Cao <dcao@...> #207 Yes, that's the correct commit to cherry pick for the cc path traversal vulnerability. -Dieu CF Runtime PM toggle quoted message Show quoted text On Tue, May 26, 2015 at 12:30 AM, nota-ja <dev(a)nota.m001.jp> wrote: I understand the CFF strongly recommends to upgrade to v208 or after, but for those (including us) who cannot immediately upgrade, I want to know if there is a workaround against this vulnerability. I've found that there is a commit which seems related this vulnerability: https://github.com/cloudfoundry/cloud_controller_ng/commit/5257a8af6990e71cd1e34ae8978dfe4773b32826 Cherry-picking this commit may be a workaround? Or we need another commits to cherry-pick? Thanks in advance. -- View this message in context: http://cf-dev.70369.x6.nabble.com/cf-dev-CVE-2015-1834-CC-Path-Traversal-vulnerability-tp163p173.html Sent from the CF Dev mailing list archive at Nabble.com. _______________________________________________ cf-dev mailing list cf-dev(a)lists.cloudfoundry.org https://lists.cloudfoundry.org/mailman/listinfo/cf-dev attachment.html attachment.html
More All Messages By This Member
Noburou TANIGUCHI #209 Thank you for the quick response, Dieu! -- View this message in context: http://cf-dev.70369.x6.nabble.com/cf-dev-CVE-2015-1834-CC-Path-Traversal-vulnerability-tp163p176.html Sent from the CF Dev mailing list archive at Nabble.com.
More All Messages By This Member

1 - 4 of 4

1

Previous Topic Next Topic

Home Hashtags Subgroups Terms