GCVE - cpe:2.3:a:cloudfoundry:routing-release:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:cloudfoundry:routing-release:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Cloudfoundry (`3aa6768c-437d-5100-a420-b037598cadb4`)
Product	Routing Release (`a83aafb7-46d8-5697-b5e0-2557f232bba5`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:github/cloudfoundry/routing_release`	purl2cpe	2026-06-01 10:12:05.087747

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2023-34041`	vulnerable	2026-06-03 14:52:15.469128	CVE-2023-34041-Abuse of HTTP Hop-by-Hop Headers in Cloud Foundry Gorouter MEDIUM (5.3) Cloud foundry routing release versions prior to 0.278.0 are vulnerable to abuse of HTTP Hop-by-Hop Headers. An unauthenticated attacker can use this vulnerability for headers like B3 or X-B3-SpanID to affect the identification value recorded in the logs in foundations. Published: 2023-09-08T07:22:00.607Z Updated: 2024-08-02T15:54:14.253Z Open on db.gcve.eu Reference links https://www.cloudfoundry.org/blog/abuse-of-http-hop-by-hop-headers-in-cloud-foundry-gorouter/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2020-5416`	vulnerable	2026-06-03 14:42:56.432071	CF clusters with NGINX in front of them may be vulnerable to DoS HIGH (7.7) Cloud Foundry Routing (Gorouter), versions prior to 0.204.0, when used in a deployment with NGINX reverse proxies in front of the Gorouters, is potentially vulnerable to denial-of-service attacks in which an unauthenticated malicious attacker can send specially-crafted HTTP requests that may cause the Gorouters to be dropped from the NGINX backend pool. Published: 2020-08-21T21:50:14.375Z Updated: 2024-09-16T16:53:12.333Z Open on db.gcve.eu Reference links https://www.cloudfoundry.org/blog/cve-2020-5416	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2020-15586`	vulnerable	2026-06-03 14:41:46.052673	Details available Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time. Published: 2020-07-17T15:38:24.000Z Updated: 2024-08-04T13:22:29.273Z Open on db.gcve.eu Reference links http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00077.html http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00082.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCR6LAKCVKL55KJQPPBBWVQGOP7RL2RW/ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WIRVUHD7TJIT7JJ33FKHIVTHPYABYPHR/ http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00029.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2019-11289`	vulnerable	2026-06-03 14:39:32.656201	A forged route service request using an invalid nonce can cause the gorouter to panic and crash HIGH (8.6) Cloud Foundry Routing, all versions before 0.193.0, does not properly validate nonce input. A remote unauthenticated malicious user could forge an HTTP route service request using an invalid nonce that will cause the Gorouter to crash. Published: 2019-11-19T18:41:04.566Z Updated: 2024-09-16T22:14:00.610Z Open on db.gcve.eu Reference links https://www.cloudfoundry.org/blog/cve-2019-11289	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2018-1221`	vulnerable	2026-06-03 14:38:30.569533	Details available In cf-deployment before 1.14.0 and routing-release before 0.172.0, the Cloud Foundry Gorouter mishandles WebSocket requests for AWS Application Load Balancers (ALBs) and some other HTTP-aware Load Balancers. A user with developer privileges could use this vulnerability to steal data or cause denial of service. Published: 2018-03-19T18:00:00.000Z Updated: 2024-09-17T01:15:36.021Z Open on db.gcve.eu Reference links https://www.cloudfoundry.org/blog/cve-2018-1221/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2018-1193`	vulnerable	2026-06-03 14:38:30.508359	Details available Cloud Foundry routing-release, versions prior to 0.175.0, lacks sanitization for user-provided X-Forwarded-Proto headers. A remote user can set the X-Forwarded-Proto header in a request to potentially bypass an application requirement to only respond over secure connections. Published: 2018-05-23T15:00:00.000Z Updated: 2024-09-17T03:47:48.896Z Open on db.gcve.eu Reference links https://www.cloudfoundry.org/blog/cve-2018-1193/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2017-8034`	vulnerable	2026-06-03 14:37:38.906904	Details available The Cloud Controller and Router in Cloud Foundry (CAPI-release capi versions prior to v1.32.0, Routing-release versions prior to v0.159.0, CF-release versions prior to v267) do not validate the issuer on JSON Web Tokens (JWTs) from UAA. With certain multi-zone UAA configurations, zone administrators are able to escalate their privileges. Published: 2017-07-17T14:00:00.000Z Updated: 2024-08-05T16:19:29.540Z Open on db.gcve.eu Reference links https://www.cloudfoundry.org/cve-2017-8034/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2016-8218`	vulnerable	2026-06-03 14:36:08.994750	Details available An issue was discovered in Cloud Foundry Foundation routing-release versions prior to 0.142.0 and cf-release versions 203 to 231. Incomplete validation logic in JSON Web Token (JWT) libraries can allow unprivileged attackers to impersonate other users to the routing API, aka an "Unauthenticated JWT signing algorithm in routing" issue. Published: 2017-06-13T06:00:00.000Z Updated: 2024-08-06T02:13:21.828Z Open on db.gcve.eu Reference links https://www.cloudfoundry.org/cve-2016-8218/	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.