CVE-2015-1834

Name of the Vulnerable Software and Affected Versions Cloud Foundry cf-release versions prior to v208 Pivotal Cloud Foundry Elastic Runtime versions prior to 1.4.2

Description A path traversal issue was identified in the Cloud Controller component. This issue allows an attacker to access files and directories outside the web root folder by injecting relative file paths, such as '../' sequences, into a certain parameter of the file path. This can lead to disallowed reading or execution of arbitrary system commands. A remote authenticated attacker can exploit this issue to upload arbitrary files to the server running a Cloud Controller instance, outside the isolated application container.

Recommendations For cf-release versions prior to v208, update to version v208 or later to resolve the issue. For Pivotal Cloud Foundry Elastic Runtime versions prior to 1.4.2, update to version 1.4.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the file system to minimize the risk of exploitation.