{"id":"CVE-2017-8034","details":"The Cloud Controller and Router in Cloud Foundry (CAPI-release capi versions prior to v1.32.0, Routing-release versions prior to v0.159.0, CF-release versions prior to v267) do not validate the issuer on JSON Web Tokens (JWTs) from UAA. With certain multi-zone UAA configurations, zone administrators are able to escalate their privileges.","modified":"2026-03-15T22:24:47.711362Z","published":"2017-07-17T14:29:01.280Z","references":[{"type":"ADVISORY","url":"https://www.cloudfoundry.org/cve-2017-8034/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cloudfoundry-attic/cf-release","events":[{"introduced":"0"},{"last_affected":"715b43f9943503f4ea3d23a2c48ccc37e9d5fecc"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"266"}]}},{"type":"GIT","repo":"https://github.com/cloudfoundry/capi-release","events":[{"introduced":"0"},{"last_affected":"13b17376cd84b4af6cbd601cb242e7661310f0c7"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.31.0"}]}},{"type":"GIT","repo":"https://github.com/cloudfoundry/routing-release","events":[{"introduced":"0"},{"last_affected":"0a16bb1da4e298061cd51f363298c3f422e3673b"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.158.0"}]}}],"versions":["-","0.118.0","0.121.0","0.123.0","0.126.0","0.133.0","0.134.0","0.135.0","0.136.0","0.137.0","0.138.0","0.139.0","0.140.0","0.141.0","0.142.0","0.143.0","0.144.0","0.145.0","0.146.0","0.147.0","0.149.0","0.150.0","0.151.0","0.152.0","0.153.0","0.154.0","0.155.0","0.156.0","0.157.0","0.158.0","0.62.0","0.66.0","0.69.0","0.99.0","1.0.0","1.1.0","1.10.0","1.11.0","1.12.0","1.13.0","1.14.0","1.15.0","1.16.0","1.17.0","1.18.0","1.19.0","1.2.0","1.20.0","1.21.0","1.22.0","1.23.0","1.24.0","1.25.0","1.26.0","1.27.0","1.28.0","1.29.0","1.3.0","1.30.0","1.31.0","1.4.0","1.5.0","1.6.0","1.7.0","1.8.0","1.9.0","list","log","rc145.0","scotty_09012012","v","v1.0.0","v100","v101","v102","v103","v104","v105","v106","v107","v108","v109","v110","v111","v112","v113","v114","v115","v116","v117","v118","v119","v119-fixed","v120","v121","v122","v123","v124","v125","v126","v127","v128","v129","v130","v131","v132","v133","v134","v135","v136","v137","v138","v139","v140","v141","v142","v143","v144","v145","v146","v147","v148","v149","v150","v151","v152","v153","v154","v155","v156","v157","v158","v159","v160","v161","v162","v163","v164","v165","v166","v168","v169","v170","v171","v172","v173","v175","v176","v177","v178","v179","v180","v182","v183","v186","v187","v188","v189","v190","v191","v192","v193","v194","v195","v196","v197","v198","v199","v200","v201","v202","v203","v204","v205","v206","v207","v208","v209","v210","v211","v212","v213","v214","v215","v217","v218","v219","v220","v221","v222","v223","v224","v225","v226","v227","v228","v229","v230","v231","v232","v233","v234","v235","v236","v237","v238","v239","v240","v241","v242","v243","v244","v245","v246","v247","v248","v249","v250","v251","v252","v253","v254","v255","v256","v257","v258","v259","v260","v261","v262","v263","v264","v265","v266","v68","v69","v70","v71","v72","v73","v74","v75","v76","v77","v78","v79","v80","v81","v82","v83","v84","v85","v86","v87","v88","v89","v90","v91","v92","v93","v94","v95","v95-fixed","v96","v97","v98","v99","works-for-us"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-8034.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"}]}