CVE-2024-22279 - Vulnerability Details - OpenCVE

Improper handling of requests in Routing Release > v0.273.0 and <= v0.297.0 allows an unauthenticated attacker to degrade
the service availability of the Cloud Foundry deployment if performed at scale.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00533.

Key SSVC decision points have not yet been added.

Vendors	Products
Cloudfoundry	Cf-deployment Routing Release

Configuration 1 [-]

OR	cpe:2.3:a:cloudfoundry:cf-deployment::::::::
	cpe:2.3:a:cloudfoundry:routing_release::::::::

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-19841	Improper handling of requests in Routing Release > v0.273.0 and <= v0.297.0 allows an unauthenticated attacker to degrade the service availability of the Cloud Foundry deployment if performed at scale.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.cloudfoundry.org/blog/cve-2024-22279-gorouter-denial-of-service-attack/

History

Mon, 14 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00246}`	epss `{'score': 0.00348}`

MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2024-06-10T19:47:43.939Z

Updated: 2024-08-01T22:43:34.216Z

Reserved: 2024-01-08T18:43:18.959Z

Link: CVE-2024-22279

Vulnrichment

Updated: 2024-08-01T22:43:34.216Z

NVD

Status : Modified

Published: 2024-06-10T20:15:12.880

Modified: 2024-11-21T08:55:57.133

Link: CVE-2024-22279

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-22279", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2024-01-08T18:43:18.959Z", "datePublished": "2024-06-10T19:47:43.939Z", "dateUpdated": "2024-08-01T22:43:34.216Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Routing Release", "vendor": "Cloud Foundry", "versions": [{"lessThanOrEqual": "v0.297.0", "status": "affected", "version": "v0.273.0", "versionType": "custom"}]}], "datePublic": "2024-06-05T08:01:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper handling of requests in Routing Release > v0.273.0 and <= v0.297.0 allows an unauthenticated attacker to degrade\n the service availability of the Cloud Foundry deployment if performed at scale.<br>"}], "value": "Improper handling of requests in Routing Release > v0.273.0 and <= v0.297.0 allows an unauthenticated attacker to degrade\n the service availability of the Cloud Foundry deployment if performed at scale."}], "impacts": [{"capecId": "CAPEC-469", "descriptions": [{"lang": "en", "value": "CAPEC-469 HTTP DoS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-444", "description": "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2024-06-10T19:49:06.691Z"}, "references": [{"url": "https://www.cloudfoundry.org/blog/cve-2024-22279-gorouter-denial-of-service-attack/"}], "source": {"discovery": "EXTERNAL"}, "title": "GoRouter Denial of Service Attack", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-11T17:23:05.965897Z", "id": "CVE-2024-22279", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-11T17:23:34.311Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:43:34.216Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.cloudfoundry.org/blog/cve-2024-22279-gorouter-denial-of-service-attack/", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.cloudfoundry.org/blog/cve-2024-22279-gorouter-denial-of-service-attack/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:43:34.216Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-22279", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-11T17:23:05.965897Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-11T17:23:31.118Z"}}], "cna": {"title": "GoRouter Denial of Service Attack", "source": {"discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-469", "descriptions": [{"lang": "en", "value": "CAPEC-469 HTTP DoS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Cloud Foundry", "product": "Routing Release", "versions": [{"status": "affected", "version": "v0.273.0", "versionType": "custom", "lessThanOrEqual": "v0.297.0"}], "defaultStatus": "unaffected"}], "datePublic": "2024-06-05T08:01:00.000Z", "references": [{"url": "https://www.cloudfoundry.org/blog/cve-2024-22279-gorouter-denial-of-service-attack/"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper handling of requests in Routing Release > v0.273.0 and <= v0.297.0 allows an unauthenticated attacker to degrade\n the service availability of the Cloud Foundry deployment if performed at scale.", "supportingMedia": [{"type": "text/html", "value": "Improper handling of requests in Routing Release > v0.273.0 and <= v0.297.0 allows an unauthenticated attacker to degrade\n the service availability of the Cloud Foundry deployment if performed at scale.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-444", "description": "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2024-06-10T19:49:06.691Z"}}}, "cveMetadata": {"cveId": "CVE-2024-22279", "state": "PUBLISHED", "dateUpdated": "2024-08-01T22:43:34.216Z", "dateReserved": "2024-01-08T18:43:18.959Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2024-06-10T19:47:43.939Z", "assignerShortName": "vmware"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cloudfoundry:cf-deployment:*:*:*:*:*:*:*:*", "matchCriteriaId": "3640FEAC-74E5-4F8B-A9DA-E223EC46407D", "versionEndIncluding": "40.13.0", "versionStartIncluding": "30.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:cloudfoundry:routing_release:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6C45B8F-FE7E-4FE7-9F42-644548DC7DC1", "versionEndIncluding": "0.297.0", "versionStartIncluding": "0.273.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Improper handling of requests in Routing Release > v0.273.0 and <= v0.297.0 allows an unauthenticated attacker to degrade\n the service availability of the Cloud Foundry deployment if performed at scale."}, {"lang": "es", "value": "El manejo inadecuado de las solicitudes en Routing Release > v0.273.0 y <= v0.297.0 permite que un atacante no autenticado degrade la disponibilidad del servicio de la implementaci\u00f3n de Cloud Foundry si se realiza a escala."}], "id": "CVE-2024-22279", "lastModified": "2024-11-21T08:55:57.133", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security@vmware.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-10T20:15:12.880", "references": [{"source": "security@vmware.com", "tags": ["Vendor Advisory"], "url": "https://www.cloudfoundry.org/blog/cve-2024-22279-gorouter-denial-of-service-attack/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.cloudfoundry.org/blog/cve-2024-22279-gorouter-denial-of-service-attack/"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "security@vmware.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-444"}], "source": "nvd@nist.gov", "type": "Primary"}]}