Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Cloud Foundry — Vulnerabilities & Security Advisories 71

Browse all 71 CVE security advisories affecting Cloud Foundry. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Cloud Foundry is an open-source platform-as-a-service (PaaS) that enables developers to deploy, run, and scale applications across hybrid and multi-cloud environments. Its architecture, which relies on complex component interactions, has historically exposed it to diverse vulnerability classes, including remote code execution, cross-site scripting, and privilege escalation. With seventy-one recorded CVEs, these flaws often stem from input validation errors or misconfigurations within its core components like the Diego scheduler and UAA authentication service. Security incidents have frequently involved unauthorized access to containerized workloads or exploitation of API endpoints, highlighting risks associated with its distributed nature. While the project maintains active security patches, the sheer volume of historical vulnerabilities underscores the complexity of securing its extensive ecosystem. Organizations must rigorously audit configurations and apply updates promptly to mitigate these persistent threats inherent in its open-source, community-driven development model.

Top products by Cloud Foundry: UAA Release (OSS) CAPI UAA Release Routing Cloud Foundry UAA Garden-runC UAA Cloud Foundry Cloud Foundry Container Runtime (CFCR) Stratos Loggregator CredHub Routing Release BOSH CF CLI Release CAPI-release BOSH System Metrics Server CF Routing BOSH Backup and Restore Notifications CredHub CLI CF CLI haproxy-boshrelease UUA SMB Volume CF NFS volume release Bits Service Release NFS Volume Release bits-service-release CF Networking Release
CVE IDTitleCVSSSeverityPublished
CVE-2026-22734 Cloud Foundry UAA SAML 2.0 Signature Bypass — UUACWE-290 8.6 High2026-04-16
CVE-2025-22246 CVE-2025-22246 – UAA Private Key Exposure — UAA 3.0 Low2025-05-13
CVE-2025-22216 CVE-2025-22216 UAA Missing Zone Validation — Cloud Foundry UAA 5.4 Medium2025-01-31
CVE-2024-38826 CVE-2024-38826 Cloud Controller Denial of Service Attack — Cloud Foundry 6.5AIMediumAI2024-11-11
CVE-2024-37082 Cloud Foundry 安全漏洞 — haproxy-boshreleaseCWE-290 9.1 Critical2024-07-03
CVE-2024-22279 GoRouter Denial of Service Attack — Routing ReleaseCWE-444 5.9 Medium2024-06-10
CVE-2023-34061 CVE-2023-34061 – Gorouter route pruning — Routing Release 7.5 High2024-01-12
CVE-2023-34041 CVE-2023-34041-Abuse of HTTP Hop-by-Hop Headers in Cloud Foundry Gorouter — Routing 5.3 Medium2023-09-08
CVE-2023-20885 CF workflows leak credentials in system audit logs — Notifications 6.5 Medium2023-06-16
CVE-2020-5423 Cloud Controller is vulnerable to denial of service via YAML parsing — CAPICWE-400 7.5 -2020-12-02
CVE-2020-5422 UAA password may appear in BOSH System Metrics Server process arguments — BOSH System Metrics ServerCWE-214 6.5 -2020-10-02
CVE-2020-5420 Gorouter is vulnerable to DoS attack via invalid HTTP responses — RoutingCWE-754 7.7 -2020-09-03
CVE-2020-5418 Cloud Controller allows users with no roles to list droplets — CAPICWE-863 4.3 -2020-09-03
CVE-2020-5417 Cloud Controller may allow developers to claim sensitive routes — CAPICWE-732 8.1 -2020-08-21
CVE-2020-5416 CF clusters with NGINX in front of them may be vulnerable to DoS — RoutingCWE-404 7.5 -2020-08-21
CVE-2020-5402 UAA fails to check the state parameter when authenticating with external IDPs — UAACWE-352 8.8 -2020-02-27
CVE-2020-5401 Cloud Foundry GoRouter is vulnerable to cache poisoning — RoutingCWE-393--2020-02-27
CVE-2020-5400 Cloud Controller logs environment variables from app manifests — CAPICWE-522 6.5 -2020-02-27
CVE-2020-5399 CredHub does not properly enable TLS for MySQL database connections — CredHubCWE-319 8.7 -2020-02-12
CVE-2019-11294 CAPI leaks service broker URLs and GUIDs to space developers — CAPICWE-200 4.3 -2019-12-19
CVE-2019-11293 UAA logs all query parameters with debug logging level — UAA ReleaseCWE-532 6.5 -2019-12-06
CVE-2019-11290 Cloud Foundry UAA logs query parameters in tomcat access file — UAA ReleaseCWE-532 7.5 -2019-11-25
CVE-2019-11289 A forged route service request using an invalid nonce can cause the gorouter to panic and crash — RoutingCWE-20 8.6 -2019-11-19
CVE-2019-11283 Password leak in smbdriver logs — SMB VolumeCWE-532 8.8 -2019-10-23
CVE-2019-11282 UAA is vulnerable to a Blind SCIM injection leading to information disclosure — UAA ReleaseCWE-200 4.3 -2019-10-23
CVE-2019-11279 Privilege Escalation via Scope Manipulation in UAA — UAA Release (OSS)CWE-77 8.8 -2019-09-26
CVE-2019-11278 Privilege Escalation via Blind SCIM Injection in UAA — UAA Release (OSS)CWE-77 8.8 -2019-09-26
CVE-2019-11277 Volume Services is vulnerable to an LDAP injection attack — CF NFS volume releaseCWE-90 8.1 -2019-09-23
CVE-2019-11274 UAA SCIM Filter XSS — UAA Release (OSS)CWE-79 6.1 -2019-08-09
CVE-2019-3800 CF CLI writes the client id and secret to config file — CF CLI ReleaseCWE-522 7.8 -2019-08-05

This page lists every published CVE security advisory associated with Cloud Foundry. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.