CVE-2017-8037

high-risk

Published 2017-08-21

In Cloud Foundry Foundation CAPI-release versions after v1.6.0 and prior to v1.38.0 and cf-release versions after v244 and prior to v270, there is an incomplete fix for CVE-2017-8035. If you took steps to remediate CVE-2017-8035 you should also upgrade to fix this CVE. A carefully crafted CAPI request from a Space Developer can allow them to gain access to files on the Cloud Controller VM for that installation, aka an Information Leak / Disclosure.

Do I need to act?

0.38% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (20)

Capi-Release

Cf-Release

Affected Vendors

Cloudfoundry

References (4)

http://www.securityfocus.com/bid/100448

Vendor Advisory https://www.cloudfoundry.org/cve-2017-8037/

http://www.securityfocus.com/bid/100448

Vendor Advisory https://www.cloudfoundry.org/cve-2017-8037/

/ 100

high-risk

Severity 26/34 · High

Exploitability 1/34 · Minimal

Exposure 26/34 · High