{"api_version":"1","generated_at":"2026-04-23T01:31:34+00:00","cve":"CVE-2020-5401","urls":{"html":"https://cve.report/CVE-2020-5401","api":"https://cve.report/api/cve/CVE-2020-5401.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-5401","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-5401"},"summary":{"title":"CVE-2020-5401","description":"Cloud Foundry Routing Release, versions prior to 0.197.0, contains GoRouter, which allows malicious clients to send invalid headers, causing caching layers to reject subsequent legitimate clients trying to access the app.","state":"PUBLIC","assigner":"security@pivotal.io","published_at":"2020-02-27 20:15:00","updated_at":"2020-03-03 19:43:00"},"problem_types":["CWE-444"],"metrics":[],"references":[{"url":"https://www.cloudfoundry.org/blog/cve-2020-5401","name":"https://www.cloudfoundry.org/blog/cve-2020-5401","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"CVE-2020-5401: Cloud Foundry GoRouter is vulnerable to cache poisoning | Cloud Foundry","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-5401","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5401","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"5401","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"cloudfoundry","cpe5":"routing_release","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"5401","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"cloudfoundry","cpe5":"routing_release","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ASSIGNER":"security@pivotal.io","DATE_PUBLIC":"2020-02-24T00:00:00.000Z","ID":"CVE-2020-5401","STATE":"PUBLIC","TITLE":"Cloud Foundry GoRouter is vulnerable to cache poisoning"},"source":{"discovery":"UNKNOWN"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Routing","version":{"version_data":[{"affected":"<","version_value":"0.197.0"}]}}]},"vendor_name":"Cloud Foundry"}]}},"description":{"description_data":[{"lang":"eng","value":"Cloud Foundry Routing Release, versions prior to 0.197.0, contains GoRouter, which allows malicious clients to send invalid headers, causing caching layers to reject subsequent legitimate clients trying to access the app."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-393: Return of Wrong Status Code"}]}]},"references":{"reference_data":[{"refsource":"CONFIRM","url":"https://www.cloudfoundry.org/blog/cve-2020-5401","name":"https://www.cloudfoundry.org/blog/cve-2020-5401"}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","version":"3.0"}}},"nvd":{"publishedDate":"2020-02-27 20:15:00","lastModifiedDate":"2020-03-03 19:43:00","problem_types":["CWE-444"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW","baseScore":5.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:N/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:cloudfoundry:routing_release:*:*:*:*:*:*:*:*","versionEndExcluding":"0.197.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"5401","Ordinal":"165624","Title":"CVE-2020-5401","CVE":"CVE-2020-5401","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"5401","Ordinal":"1","NoteData":"Cloud Foundry Routing Release, versions prior to 0.197.0, contains GoRouter, which allows malicious clients to send invalid headers, causing caching layers to reject subsequent legitimate clients trying to access the app.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"5401","Ordinal":"2","NoteData":"2020-02-27","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"5401","Ordinal":"3","NoteData":"2020-02-27","Type":"Other","Title":"Modified"}]}}}