Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Cloud FOundry — Vulnerabilities & Security Advisories 71

Browse all 71 CVE security advisories affecting Cloud FOundry. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Cloud Foundry is an open-source platform-as-a-service (PaaS) that enables developers to deploy, run, and scale applications across hybrid and multi-cloud environments. Its architecture, which relies on complex component interactions, has historically exposed it to diverse vulnerability classes, including remote code execution, cross-site scripting, and privilege escalation. With seventy-one recorded CVEs, these flaws often stem from input validation errors or misconfigurations within its core components like the Diego scheduler and UAA authentication service. Security incidents have frequently involved unauthorized access to containerized workloads or exploitation of API endpoints, highlighting risks associated with its distributed nature. While the project maintains active security patches, the sheer volume of historical vulnerabilities underscores the complexity of securing its extensive ecosystem. Organizations must rigorously audit configurations and apply updates promptly to mitigate these persistent threats inherent in its open-source, community-driven development model.

Top products by Cloud FOundry: UAA Release (OSS) CAPI UAA Release Routing Cloud Foundry UAA Garden-runC UAA Cloud Foundry Cloud Foundry Container Runtime (CFCR) Stratos Loggregator CredHub Routing Release BOSH CF CLI Release CAPI-release BOSH System Metrics Server CF Routing BOSH Backup and Restore Notifications CredHub CLI CF CLI haproxy-boshrelease UUA SMB Volume CF NFS volume release Bits Service Release NFS Volume Release bits-service-release CF Networking Release
CVE IDTitleCVSSSeverityPublished
CVE-2019-11270 UAA clients.write vulnerability — UAA Release (OSS)CWE-269 7.5 -2019-08-05
CVE-2019-3794 UAA - Login app subject to clickjacking attack — UAA Release (OSS)CWE-284 6.1 -2019-07-18
CVE-2019-11268 UAA SQL Identity Zone Vulnerability — UAA Release (OSS)CWE-200 6.5 -2019-07-11
CVE-2019-3787 UAA defaults email address to an insecure domain — UAA Release (OSS)CWE-840 9.8 -2019-06-19
CVE-2019-11271 Bosh Deployment logs leak sensitive information — BOSHCWE-532 7.1 -2019-06-18
CVE-2019-3801 Java Projects using HTTP to fetch dependencies — CredHubCWE-494 9.8 -2019-04-25
CVE-2019-3788 UAA redirect-uri allows wildcard in the subdomain — UAA Release (OSS)CWE-601 6.1 -2019-04-25
CVE-2019-3786 BBR could run arbitrary scripts on deployment VMs — BOSH Backup and RestoreCWE-269 7.1 -2019-04-24
CVE-2019-3789 Gorouter allows space developer to hijack route services hosted outside the platform — CF RoutingCWE-840 8.1 -2019-04-24
CVE-2019-3798 Escalation of Privileges in Cloud Controller — CAPI-releaseCWE-287 7.5 -2019-04-17
CVE-2019-3785 Cloud Controller provides signed URL with write authorization to read only user — CAPICWE-285 8.1 -2019-03-13
CVE-2019-3779 Cloud Foundry Container Runtime allows a user to bypass security policy when talking to ETCD — Cloud Foundry Container Runtime (CFCR)CWE-284 8.8 -2019-03-08
CVE-2019-3780 Cloud Foundry Container Runtime Leaks IAAS Credentials — Cloud Foundry Container Runtime (CFCR)CWE-260 8.8 -2019-03-08
CVE-2019-3781 CF CLI does not sanitize user's password in verbose/trace/debug — CF CLICWE-215 8.8 -2019-03-07
CVE-2019-3783 Cloud Foundry Stratos Deploys With Public Default Session Store Secret — StratosCWE-384 8.8 -2019-03-07
CVE-2019-3784 Cloud Foundry Stratos contains a Session Collision Vulnerability — StratosCWE-384 8.1 -2019-03-07
CVE-2019-3775 UAA allows users to modify their own email address — UAA Release (OSS)CWE-290 8.1 -2019-03-07
CVE-2019-3782 CredHub CLI writes environment variable credentials to disk — CredHub CLICWE-522 7.8 -2019-02-13
CVE-2018-15754 UAA can issue tokens across identity providers if users with matching usernames exist — UAA Release 8.1 -2018-12-13
CVE-2018-15800 Timing attack allows extraction of signing key in Bits Service — Bits Service Release 6.8 -2018-12-10
CVE-2018-15797 NFS Volume release errand leaks cf admin credentials in logs — NFS Volume Release 8.8 -2018-12-05
CVE-2018-15761 UAA Privilege Escalation — UAA 8.8 -2018-11-19
CVE-2018-15796 Signing Key Extraction in Bits Service Release — bits-service-release 8.1 -2018-11-09
CVE-2018-15755 CF networking internal policy server SQL injection — CF Networking Release 8.8 -2018-10-12
CVE-2018-11082 Cloud Foundry UAA MFA does not prevent brute force of MFA code — UAA Release 7.5 -2018-10-05
CVE-2018-11083 Bosh accepts refresh tokens in place of an access token — BOSH 8.1 -2018-10-05
CVE-2018-1264 Log Cache logs UAA client secret on startup — log-cache-release 8.8 -2018-10-05
CVE-2018-11084 Garden-runC prevents deletion of some app environments — Garden-runC 7.1 -2018-09-18
CVE-2018-1223 Cloud Foundry Container Runtime 安全漏洞 — Container Runtime 8.8 -2018-09-17
CVE-2018-11047 Cloud Foundry UAA 安全漏洞 — Cloud Foundry UAA 9.8 -2018-07-24

This page lists every published CVE security advisory associated with Cloud FOundry. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.