Information Exposure

Affecting code.cloudfoundry.org/gorouter/route package, versions <0.172.0

high severity

Overview

code.cloudfoundry.org/gorouter/route contains the source code for the Cloud Foundry L7 HTTP router.

Affected versions of the package are vulnerable to Information Exposure or Denial of Service. It mishandles WebSocket requests for AWS Application Load Balancers (ALBs) and some other HTTP-aware Load Balancers. A user with developer privileges could use this vulnerability to steal data or cause denial of service.

Remediation

Upgrade code.cloudfoundry.org/gorouter/route to version 0.172.0 or higher.

References

Do your applications use this vulnerable package?

Credit
Unknown
CVE
CVE-2018-1221
CWE
CWE-20
Snyk ID
SNYK-GOLANG-CODECLOUDFOUNDRYORGGOROUTERROUTE-50074
Disclosed
18 Mar, 2018
Published
10 Jun, 2018