Description
Cloud Foundry NFS Volume Service, 1.7.x versions prior to 1.7.11 and 2.x versions prior to 2.3.0, is vulnerable to LDAP injection. A remote authenticated malicious space developer can potentially inject LDAP filters via service instance creation, facilitating the malicious space developer to deny service or perform a dictionary attack.
CVSS breakdown
CVSS 3.0
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low
Affected products
- Cloud Foundry / CF DeploymentAll – v11.1.0
- Cloud Foundry / cf-nfs-volume release1.7 – v1.7.11
- Cloud Foundry / cf-nfs-volume release2.3 – v2.3.0