CVE-2016-2165 — Improper Input Validation in Cf-release

CWE-20 — Improper Input Validation4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 51.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cloudfoundry Cf-release Pivotal Software Cloud Foundry Elastic Runtime Pivotal Cloud Foundry

Timeline

PublishedMay 25

Latest updateMay 13

Description

The Loggregator Traffic Controller endpoints in cf-release v231 and lower, Pivotal Elastic Runtime versions prior to 1.5.19 AND 1.6.x versions prior to 1.6.20 are not cleansing request URL paths when they are invalid and are returning them in the 404 response. This could allow malicious scripts to be written directly into the 404 response.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDpivotal_software/cloud_foundry_elastic_runtime1.5.18+20

▶NVDcloudfoundry/cf-release231

▶CVEListV5pivotal/cloud_foundryElastic Runtime versions prior to 1.5.19 AND 1.6.x versions prior to 1.6.20, cf-release v231 and lower+1

🔴Vulnerability Details

GHSA

GHSA-p5pc-pcfq-64rw: The Loggregator Traffic Controller endpoints in cf-release v231 and lower, Pivotal Elastic Runtime versions prior to 1↗2022-05-13

▶

CVEList

CVE-2016-2165: The Loggregator Traffic Controller endpoints in cf-release v231 and lower, Pivotal Elastic Runtime versions prior to 1↗2017-05-25

▶

📄Research Papers

CTF

angry-seam-500 / README↗2016

▶