All Vulnerability Reports

CVE-2018-1265: Diego does not properly sanitize file paths in tar/zip files


Severity

Critical

References
Affected Pivotal Products and Versions

Severity is critical unless otherwise noted.

  • Pivotal Application Service
    • 2.1.x versions prior to 2.1.7
    • 2.0.x versions prior to 2.0.16
    • 1.12.x versions prior to 1.12.25
    • 1.11.x versions prior to 1.11.35
  • PCF Isolation Segment
    • 2.1.x versions prior to 2.1.6
    • 2.0.x versions prior to 2.0.12
    • 1.12.x versions prior to 1.12.21
    • 1.11.x versions prior to 1.11.30
  • PAS for Windows2012R2
    • 2.1.x versions prior to 2.1.6
    • 2.0.x versions prior to 2.0.8
    • 1.12.x versions prior to 1.12.11
    • 1.11.x versions prior to 1.11.13
  • PAS for Windows
    • 2.1.x versions prior to 2.1.7
Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry team recommends upgrading BOSH stemcells and/or other OSS components listed here if applicable.
  • Releases that have fixed this issue include:
    • Pivotal Application Service: 2.1.7, 2.0.16, 1.12.25, 1.11.35
    • PCF Isolation Segment: 2.1.6, 2.0.12, 1.12.21, 1.11.30
    • PAS for Windows2012R2: 2.1.6, 2.0.8, 1.12.11, 1.11.13
    • PAS for Windows: 2.1.7