CVE-2016-8218

CVE	CVE-2016-8218
State	PUBLISHED
Assigner	dell
Source Priority	CVE Program / NVD first with legacy fallback
Published	2017-06-13 06:29:00 UTC
Updated	2025-04-20 01:37:25 UTC
Description	An issue was discovered in Cloud Foundry Foundation routing-release versions prior to 0.142.0 and cf-release versions 203 to 231. Incomplete validation logic in JSON Web Token (JWT) libraries can allow unprivileged attackers to impersonate other users to the routing API, aka an "Unauthenticated JWT signing algorithm in routing" issue.

Primary CVSS: v3.0 9.8 CRITICAL from [email protected]

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem Types: CWE-20 | Unauthenticated JWT signing algorithm in routing

Version	Source	Type	Score	Severity	Vector
3.0	[email protected]	Primary	9.8	CRITICAL	`CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
2.0	[email protected]	Primary	7.5		`AV:N/AC:L/Au:N/C:P/I:P/A:P`

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Access Vector

Network

Access Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Type	Vendor	Product	Version	Update	Edition	Language
Application	Cloudfoundry	Cf-release	204	All	All	All
Application	Cloudfoundry	Cf-release	205	All	All	All
Application	Cloudfoundry	Cf-release	206	All	All	All
Application	Cloudfoundry	Cf-release	207	All	All	All
Application	Cloudfoundry	Cf-release	208	All	All	All
Application	Cloudfoundry	Cf-release	209	All	All	All
Application	Cloudfoundry	Cf-release	210	All	All	All
Application	Cloudfoundry	Cf-release	211	All	All	All
Application	Cloudfoundry	Cf-release	212	All	All	All
Application	Cloudfoundry	Cf-release	213	All	All	All
Application	Cloudfoundry	Cf-release	214	All	All	All
Application	Cloudfoundry	Cf-release	215	All	All	All
Application	Cloudfoundry	Cf-release	217	All	All	All
Application	Cloudfoundry	Cf-release	218	All	All	All
Application	Cloudfoundry	Cf-release	219	All	All	All
Application	Cloudfoundry	Cf-release	220	All	All	All
Application	Cloudfoundry	Cf-release	221	All	All	All
Application	Cloudfoundry	Cf-release	222	All	All	All
Application	Cloudfoundry	Cf-release	223	All	All	All
Application	Cloudfoundry	Cf-release	224	All	All	All
Application	Cloudfoundry	Cf-release	225	All	All	All
Application	Cloudfoundry	Cf-release	226	All	All	All
Application	Cloudfoundry	Cf-release	227	All	All	All
Application	Cloudfoundry	Cf-release	228	All	All	All
Application	Cloudfoundry	Cf-release	229	All	All	All
Application	Cloudfoundry	Cf-release	230	All	All	All
Application	Cloudfoundry	Cf-release	231	All	All	All
Application	Cloudfoundry	Cf-release	All	All	All	All
Application	Cloudfoundry	Routing-release	All	All	All	All

Source	Vendor	Product	Version	Platforms
CNA	Na	Cloud Foundry	affected Cloud Foundry	Not specified

Reference	Source	Link	Tags
CVE-2016-8218: Unauthenticated JWT signing algorithm in routing \| Cloud Foundry	af854a3a-2127-422b-91ae-364da2661108	www.cloudfoundry.org	Patch, Vendor Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.