CVE-2016-2165

Published May 25, 2017

Last updated 3 years ago

CVSS medium 6.5

Overview

Description: The Loggregator Traffic Controller endpoints in cf-release v231 and lower, Pivotal Elastic Runtime versions prior to 1.5.19 AND 1.6.x versions prior to 1.6.20 are not cleansing request URL paths when they are invalid and are returning them in the 404 response. This could allow malicious scripts to be written directly into the 404 response.
Source: security_alert@emc.com
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 6.5
Impact score: 3.6
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Severity: MEDIUM

CVSS 2.0

Type: Primary
Base score: 4.3
Impact score: 2.9
Exploitability score: 8.6
Vector string: AV:N/AC:M/Au:N/C:N/I:P/A:N

Weaknesses

nvd@nist.gov: CWE-20

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:cloudfoundry:cf-release:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9FA3664A-60D8-4339-8021-9D6966427DAC",
            "versionEndIncluding": "231"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "09AC8F12-A0E9-47E4-9F0F-A8168B825393",
            "versionEndIncluding": "1.5.18"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F4CC5918-BC38-46E3-8000-5FE87A65C0E7"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "36926681-35F4-4619-9613-155DEEEA3C8F"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "41FF3C2B-E96F-4DF7-A5C4-703206CB729E"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F9CB3C2D-3080-4A3D-8D8D-1381B5D98920"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.4:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "782781EB-147C-4B00-84C5-1D8443BFA2D6"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.5:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "35A56755-EEB2-4C93-B180-3918A36965AA"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.6:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E4009F10-08AF-470B-B903-38B8A6DBF332"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.7:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "2B2E8F04-53E6-4A3C-BE4B-8D0DDA22CA8C"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.8:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "790DAB24-893A-463F-8358-171DACD75074"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.9:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3645A1A8-4945-447F-A968-101D5938F9C8"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.10:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0E52C9B9-8F94-48D8-ADA6-96918F6AAD36"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.11:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3948FC2F-AF3B-4AF3-968D-F124D03A213A"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.12:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4BA44F9B-97D5-48C0-91E9-6D3FEC8B7773"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.13:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7B414F88-6541-48C6-B9D6-4DDA035A0037"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.14:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "66235C7F-D5EE-4989-8D24-6D0781954234"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.15:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "12E75B49-2419-4313-A648-B5283DA620E7"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.16:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EED70273-3FB2-4652-9AA2-10E2E9D581DE"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.17:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A2C07910-C462-46C1-83CB-39B3FD8D25BC"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.18:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C6B9243E-31EF-48AB-BAB5-CCC3704A219F"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.19:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "2BCB1D4B-F44C-41A1-90CA-62FD37003A1F"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

CVSS 2.0

Weaknesses

Social media

Configurations

References