CVE-2020-5401: GoRouter is vulnerable to a cache poisoning DoS
23828
24 February 2020
24 February 2020
CLOSED
MEDIUM
CVE-2020-5401
Severity
Medium
Vendor
Pivotal
Description
Pivotal Application Service, 2.6 versions prior to 2.6.16, 2.7 versions prior to 2.7.10 and 2.8 versions prior to 2.8.4, and Pivotal Isolation Segment, 2.6 versions prior to 2.6.15, 2.7 versions prior to 2.7.10 and 2.8 versions prior to 2.8.4, through the inclusion of Cloud Foundry Routing Release, allows malicious clients to send invalid headers, causing caching layers to reject subsequent clients trying to access the app, causing a denial of service.
Affected VMware Products and Versions
Severity is medium unless otherwise noted.
- Pivotal Application Service (PAS)
- 2.6 versions prior to 2.6.16
- 2.7 versions prior to 2.7.10
- 2.8 versions prior to 2.8.4
- Pivotal Isolation Segment
- 2.6 versions prior to 2.6.15
- 2.7 versions prior to 2.7.10
- 2.8 versions prior to 2.8.4
Mitigation
- Pivotal Application Service (PAS)
- 2.6.16
- 2.7.10
- 2.8.4
- Pivotal Isolation Segment
- 2.6.15
- 2.7.10
- 2.8.4
Credit
Nathan Davison
References
- https://www.cloudfoundry.org/blog/cve-2020-5401
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5401
History
2020-02-24: Initial vulnerability report published.