CVE-2023-20882

MEDIUM

Cloudfoundry Cf-deployment < 29.0.0 - Denial of Service

Title source: rule

Description

In Cloud foundry routing release versions from 0.262.0 and prior to 0.266.0,a bug in the gorouter process can lead to a denial of service of applications hosted on Cloud Foundry. Under the right circumstances, when client connections are closed prematurely, gorouter marks the currently selected backend as failed and removes it from the routing pool.

References (1)

Core 1

Core References

Vendor Advisory

https://www.cloudfoundry.org/blog/cve-2023-20882-gorouter-pruning-via-client-disconnect-resulting-in-dos/

Scores

CVSS v3 5.9

EPSS 0.0059

EPSS Percentile 43.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-400

Status published

Products (2)

cloudfoundry/cf-deployment 27.4.0 - 29.0.0

cloudfoundry/routing_release 0.262.0 - 0.266.0

Published May 26, 2023

Tracked Since Feb 18, 2026