CVE-2017-14388

HIGH

Cloud Foundry Foundation GrootFS <0.30.0 - Code Injection

Title source: llm
STIX 2.1

Description

Cloud Foundry Foundation GrootFS release 0.3.x versions prior to 0.30.0 do not validate DiffIDs, allowing specially crafted images to poison the grootfs volume cache. For example, this could allow an attacker to provide an image layer that GrootFS would consider to be the Ubuntu base layer.

References (1)

Core 1
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
https://www.cloudfoundry.org/cve-2017-14388/

Scores

CVSS v3 7.8
EPSS 0.0073
EPSS Percentile 49.9%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-20
Status published
Products (28)
n/a/GrootFS release GrootFS release 0.3.x versions prior to 0.30.0 GrootFS release GrootFS release 0.3.x versions prior to 0.30.0
pivotal_software/grootfs 0.3.0
pivotal_software/grootfs 0.4.0
pivotal_software/grootfs 0.5.0
pivotal_software/grootfs 0.6.0
pivotal_software/grootfs 0.7.0
pivotal_software/grootfs 0.8.0
pivotal_software/grootfs 0.9.0
pivotal_software/grootfs 0.10.0
pivotal_software/grootfs 0.11.0
... and 18 more
Published Nov 13, 2017
Tracked Since Feb 18, 2026