CVE-2018-1265
HIGHCloudfoundry Cf-deployment < 1.37.0 - Unrestricted File Upload
Title source: ruleDescription
Cloud Foundry Diego, release versions prior to 2.8.0, does not properly sanitize file paths in tar and zip files headers. A remote attacker with CF admin privileges can upload a malicious buildpack that will allow a complete takeover of a Diego Cell VM and access to all apps running on that Diego Cell.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_confirm
https://www.cloudfoundry.org/blog/cve-2018-1265/
Scores
CVSS v3
7.2
EPSS
0.0065
EPSS Percentile
70.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-434
Status
published
Products (2)
cloudfoundry/cf-deployment
< 1.37.0
pivotal_software/cloud_foundry_diego
< 2.8.0
Published
Jun 06, 2018
Tracked Since
Feb 18, 2026