CVE-2015-5170: Cloud Foundry Runtime Cross-Site Request Forgery vulnerability
8.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.53367%
CWE
Published
5/13/2022
Updated
2/28/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.cloudfoundry.identity:cloudfoundry-identity-server | maven | < 2.5.2 | 2.5.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from missing CSRF protections on login endpoints. The patch shows the critical change was enabling CSRF with a cookie-based token repository (loginCookieCsrfRepository
) and removing 'disabled=true' in the XML configuration. The pre-patch state of <csrf disabled='true'/> in login-ui.xml
directly caused the vulnerability by disabling Spring Security's CSRF checks for login requests.