exploitDog

CVE-2023-20881

Опубликовано: 19 мая 2023

Источник: nvd

CVSS3: 8.1

EPSS Низкий

Описание

Cloud foundry instances having CAPI version between 1.140 and 1.152.0 along with loggregator-agent v7+ may override other users syslog drain credentials if they're aware of the client certificate used for that syslog drain. This applies even if the drain has zero certs. This would allow the user to override the private key and add or modify a certificate authority used for the connection.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:cloudfoundry:capi-release:*:*:*:*:*:*:*:*

Версия от 1.140 (включая) до 1.152.0 (включая)

cpe:2.3:a:cloudfoundry:cf-deployment:*:*:*:*:*:*:*:*

Версия от 24.7.0 (включая) до 29.0.0 (включая)

cpe:2.3:a:cloudfoundry:loggregator-agent:*:*:*:*:*:*:*:*

Версия от 7.0 (включая) до 7.2.1 (включая)

EPSS

Процентиль: 30%

0.00111

Низкий

8.1 High

CVSS3

Дефекты

CWE-295

CWE-295

Связанные уязвимости

GHSA-gwjh-7ghx-8gww

CVSS3: 8.1

github

больше 2 лет назад

Cloud foundry instances having CAPI version between 1.140 and 1.152.0 along with loggregator-agent v7+ may override other users syslog drain credentials if they're aware of the client certificate used for that syslog drain. This applies even if the drain has zero certs. This would allow the user to override the private key and add or modify a certificate authority used for the connection.

EPSS

Процентиль: 30%

0.00111

Низкий

8.1 High

CVSS3

Дефекты

CWE-295

CWE-295