Information Exposure

Affecting code.cloudfoundry.org/gorouter/route package, versions <0.172.0

Overview

code.cloudfoundry.org/gorouter/route contains the source code for the Cloud Foundry L7 HTTP router.

Affected versions of the package are vulnerable to Information Exposure or Denial of Service. It mishandles WebSocket requests for AWS Application Load Balancers (ALBs) and some other HTTP-aware Load Balancers. A user with developer privileges could use this vulnerability to steal data or cause denial of service.

Remediation

Upgrade code.cloudfoundry.org/gorouter/route to version 0.172.0 or higher.

References

Do your applications use this vulnerable package?

CVSS Score

8.1
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    High
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Credit
Unknown
CVE
CVE-2018-1221
CWE
CWE-20
Snyk ID
SNYK-GOLANG-CODECLOUDFOUNDRYORGGOROUTERROUTE-50074
Disclosed
18 Mar, 2018
Published
10 Jun, 2018