cloud foundry foundation

Top products

The 14 most recently published vulnerabilities affecting cloud foundry foundation.

• CVE-2026-47833setupBpmLogs follows symlink for bpm.log open and chown — container-to-host privilege escalation via /etc/shadow. A compromised process inside a bpm container can cause root to chown an arbitrary...6.1Jun 18, 2026
• CVE-2026-41010ReleaseJob#unpack builds job_dir = File.join(@release_dir, 'jobs', name) and job_tgz = File.join(@release_dir, 'jobs', "#{name}.tgz") where name returns @job_meta['name'], a value taken verbatim fr...8.2Jun 4, 2026
• CVE-2026-41011PackagePersister.validate_tgz builds "tar -tf #{tgz} 2>&1" where tgz = File.join(release_dir, 'packages', "#{name}.tgz") and name = package_meta['name'] comes directly from release.MF inside the up...8.2Jun 4, 2026
• CVE-2026-41858Weak Randomness / Insecure Cryptographic Primitive (CWE-338) in Get-RandomPassword in BOSH-Ecosystem / windows-utilities-release allows a network attacker to estimate VM boot time and reconstruct a...7.5Jun 4, 2026
• CVE-2026-41859A network man-in-the-middle between nats-sync and the BOSH director can steal the director credentials (Basic auth header or UAA client secret) and can tamper with the VM list that is written into ...7.8Jun 4, 2026
• CVE-2026-41860CWE-326 in BOSH allows a local attacker to steal Basic-auth credentials or redirect UAA token requests via MITM. HttpRequestHelper#create_async_endpoint and #send_http_get_request_synchronous hard-...8.8Jun 4, 2026
• CVE-2026-40965Cloud Foundry UAA versions v76.12.0 through v78.12.0 are vulnerable to a private key exposure. The server contains a vulnerability where EC (Elliptic Curve) private keys are inadvertently exposed t...10.0Jun 1, 2026
• CVE-2026-40964Authentication Bypass in cf-auth-proxy in Cloud Foundry Foundation all installations allows an unauthenticated remote attacker to gain read access to every log and metric for every application and ...7.5Jun 1, 2026
• CVE-2026-41704Compromised VM can make arbitrary blobstore deletes5.0May 27, 2026
• CVE-2026-41009Local Blobstore may allow arbitrary reads/deletes5.8May 27, 2026
• CVE-2024-37082When deploying Cloud Foundry together with the haproxy-boshrelease and using a non default configuration, it might be possible to craft HTTP requests that bypass mTLS authentication to Cloud Foundr...9.1Jul 3, 2024
• CVE-2022-31197SQL Injection in ResultSet.refreshRow() with malicious column names in pgjdbc7.1Aug 3, 2022
• CVE-2015-5171The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified ...9.8Oct 24, 2017
• CVE-2015-5172Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expir...9.8Oct 24, 2017