Medium severity6.6NVD Advisory· Published Jul 17, 2017· Updated May 13, 2026

CVE-2017-8034

Description

The Cloud Controller and Router in Cloud Foundry (CAPI-release capi versions prior to v1.32.0, Routing-release versions prior to v0.159.0, CF-release versions prior to v267) do not validate the issuer on JSON Web Tokens (JWTs) from UAA. With certain multi-zone UAA configurations, zone administrators are able to escalate their privileges.

Affected products

Cloudfoundry/Capi Release
cpe:2.3:a:cloudfoundry:capi-release:*:*:*:*:*:*:*:*
Range: <=1.31.0
Cloudfoundry/Cf Release
cpe:2.3:a:cloudfoundry:cf-release:*:*:*:*:*:*:*:*
Range: <=266
Cloudfoundry/Routing Release
cpe:2.3:a:cloudfoundry:routing-release:*:*:*:*:*:*:*:*
Range: <=0.158.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.cloudfoundry.org/cve-2017-8034/nvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.429
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000