CVE-2020-5418

Summary

Cloud Foundry CAPI (Cloud Controller) versions prior to 1.98.0 allow authenticated users having only the "cloud_controller.read" scope, but no roles in any spaces, to list all droplets in all spaces (whereas they should see none).

Affected Software

VendorProductVersion RangeStatus
Cloud FoundryCAPIAll < 1.98.0affected
Cloud FoundryCF DeploymentAll < 13.17.0affected

Weaknesses

  • CWE-863: CWE-863: Incorrect Authorization

ADP Enrichment

CVE Program Container

Additional References

References