All Vulnerability Reports

CVE-2020-5401: GoRouter is vulnerable to a cache poisoning DoS

Severity

Medium

Vendor

Pivotal

Description

Pivotal Application Service, 2.6 versions prior to 2.6.16, 2.7 versions prior to 2.7.10 and 2.8 versions prior to 2.8.4, and Pivotal Isolation Segment, 2.6 versions prior to 2.6.15, 2.7 versions prior to 2.7.10 and 2.8 versions prior to 2.8.4, through the inclusion of Cloud Foundry Routing Release, allows malicious clients to send invalid headers, causing caching layers to reject subsequent clients trying to access the app, causing a denial of service.

Affected VMware Products and Versions

Severity is medium unless otherwise noted.

• Pivotal Application Service (PAS)
  • 2.6 versions prior to 2.6.16
  • 2.7 versions prior to 2.7.10
  • 2.8 versions prior to 2.8.4

• Pivotal Isolation Segment
  • 2.6 versions prior to 2.6.15
  • 2.7 versions prior to 2.7.10
  • 2.8 versions prior to 2.8.4

Mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

• Pivotal Application Service (PAS)
  • 2.6.16
  • 2.7.10
  • 2.8.4

• Pivotal Isolation Segment
  • 2.6.15
  • 2.7.10
  • 2.8.4

Credit

Nathan Davison

References

• https://www.cloudfoundry.org/blog/cve-2020-5401
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5401

History

2020-02-24: Initial vulnerability report published.