{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "280" } ] }, "events": [ { "introduced": "0" }, { "fixed": "2ee1f4f1e1f1a96101766b726f40038cf0b2ce11" } ], "repo": "https://github.com/cloudfoundry-attic/cf-release", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "1.45.0" }, { "introduced": "0" }, { "fixed": "1.0.0" } ] }, "events": [ { "introduced": "0" }, { "fixed": "d5146b2d88a781dae70104c7c3286adf94436bbd" }, { "introduced": "0" }, { "fixed": "c4351f15e9900b53eb50dd42ad8ad3f0ee943da5" } ], "repo": "https://github.com/cloudfoundry/capi-release", "type": "GIT" } ] } ], "details": "An issue was discovered in Cloud Foundry Foundation capi-release (all versions prior to 1.45.0), cf-release (all versions prior to v280), and cf-deployment (all versions prior to v1.0.0). The Cloud Controller does not prevent space developers from creating subdomains to an already existing route that belongs to a different user in a different org and space, aka an \"Application Subdomain Takeover.\"", "id": "CVE-2017-14389", "modified": "2026-03-14T13:50:19.105335674Z", "published": "2017-11-28T07:29:00.303Z", "references": [ { "type": "REPORT", "url": "https://www.cloudfoundry.org/cve-2017-14389/" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "type": "CVSS_V3" } ] }