CVE-2023-20881
Summary
| CVE | CVE-2023-20881 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-05-19 15:15:00 UTC |
| Updated | 2023-05-26 15:59:00 UTC |
| Description | Cloud foundry instances having CAPI version between 1.140 and 1.152.0 along with loggregator-agent v7+ may override other users syslog drain credentials if they're aware of the client certificate used for that syslog drain. This applies even if the drain has zero certs. This would allow the user to override the private key and add or modify a certificate authority used for the connection. |
Risk And Classification
Problem Types: CWE-295
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Cloudfoundry | Capi-release | All | All | All | All |
| Application | Cloudfoundry | Cf-deployment | All | All | All | All |
| Application | Cloudfoundry | Loggregator-agent | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| CVE-2023-20881: CAs for syslog-drain mtls feature can be overwritten | Cloud Foundry | MISC | www.cloudfoundry.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.