PT-2020-18468 · Cloud Foundry+1 · Cloud Foundry Routing+1
Published
2020-08-21
·
Updated
2021-06-07
·
CVE-2020-5416
CVSS v3.1
7.7
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Cloud Foundry Routing (Gorouter) versions prior to 0.204.0
Description
The issue allows an unauthenticated malicious attacker to send specially-crafted HTTP requests, potentially causing the Gorouters to be dropped from the NGINX backend pool, leading to denial-of-service attacks. This occurs when Cloud Foundry Routing (Gorouter) is used in a deployment with NGINX reverse proxies in front of the Gorouters.
Recommendations
For Cloud Foundry Routing (Gorouter) versions prior to 0.204.0, update to version 0.204.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Gorouter when used with NGINX reverse proxies to minimize the risk of exploitation.
Fix
Improper Resource Release
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cloud Foundry Routing
Nginx