CVE-2023-20881

HIGH

Cloud Foundry CAPI 1.140-1.152.0 & Loggregator-Agent 7.0-7.2.1 - Improper Certificate Validation in Syslog Drain MTLS

Title source: llm

Description

Cloud foundry instances having CAPI version between 1.140 and 1.152.0 along with loggregator-agent v7+ may override other users syslog drain credentials if they're aware of the client certificate used for that syslog drain. This applies even if the drain has zero certs. This would allow the user to override the private key and add or modify a certificate authority used for the connection.

References (1)

Core 1

Core References

Vendor Advisory

https://www.cloudfoundry.org/blog/cve-2023-20881-cas-for-syslog-drain-mtls-feature-can-be-overwritten/

Scores

CVSS v3 8.1

EPSS 0.0036

EPSS Percentile 27.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-295

Status published

Products (3)

cloudfoundry/capi-release 1.140 - 1.152.0

cloudfoundry/cf-deployment 24.7.0 - 29.0.0

cloudfoundry/loggregator-agent 7.0 - 7.2.1

Published May 19, 2023

Tracked Since Feb 18, 2026