CVE-2016-2165 — MEDIUM (6.5)

Q: How severe is CVE-2016-2165?

CVE-2016-2165 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2016-2165?

Check the references section above for vendor advisories and patch information. Affected products include: Cloudfoundry Cf-Release, Pivotal Software Cloud Foundry Elastic Runtime.

Vulnerability Description

The Loggregator Traffic Controller endpoints in cf-release v231 and lower, Pivotal Elastic Runtime versions prior to 1.5.19 AND 1.6.x versions prior to 1.6.20 are not cleansing request URL paths when they are invalid and are returning them in the 404 response. This could allow malicious scripts to be written directly into the 404 response.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Cloudfoundry	Cf-Release	<= 231
Pivotal Software	Cloud Foundry Elastic Runtime	<= 1.5.18

Related Weaknesses (CWE)

CWE-20

References

https://pivotal.io/security/cve-2016-2165Vendor Advisory
https://pivotal.io/security/cve-2016-2165Vendor Advisory

FAQ

What is CVE-2016-2165?

CVE-2016-2165 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The Loggregator Traffic Controller endpoints in cf-release v231 and lower, Pivotal Elastic Runtime versions prior to 1.5.19 AND 1.6.x versions prior to 1.6.20 are not cleansing request URL paths when ...

How severe is CVE-2016-2165?

CVE-2016-2165 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-2165?

Check the references section above for vendor advisories and patch information. Affected products include: Cloudfoundry Cf-Release, Pivotal Software Cloud Foundry Elastic Runtime.