CVE-2019-11289

Cloud Foundry Routing, all versions before 0.193.0, does not properly validate nonce input. A remote unauthenticated malicious user could forge an HTTP route service request using an invalid nonce that will cause the Gorouter to crash.

Published: Nov 19, 2019
Updated: May 9, 2024
CVE: CVE-2019-11289
GHSA: GHSA-5796-p3m6-9qj4
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.6
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVSS v2:

Severity: High
Score: 7.8
AV:N/AC:L/Au:N/C:N/I:N/A:C

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
cloudfoundry / routing-release	-	0.193.0
cloudfoundry / cf-deployment	-	12.8.0
code.cloudfoundry.org/gorouter	-	0.0.0-20191101214924-b1b5c44e050f
github.com/cloudfoundry/gorouter	-	0.0.0-20191101214924-b1b5c44e050f

https://github.com/cloudfoundry/gorouter/commit/b1b5c44e050f73b399b379ca63a42a2c5780a83f
https://pkg.go.dev/vuln/GO-2021-0102
https://www.cloudfoundry.org/blog/cve-2019-11289

Vulnerability Database

CVE-2019-11289

Deep Security Visibility Without the Complexity