Request URL Path Exposure in Pivotal Elastic Runtime and Loggregator Traffic Controller
CVE-2016-2165

6.5MEDIUM

Key Information:

Vendor

Pivotal

Vendor
CVE Published:
25 May 2017

What is CVE-2016-2165?

The Loggregator Traffic Controller in Pivotal Elastic Runtime prior to specific versions lacks proper request URL path cleansing for invalid requests. This flaw can inadvertently expose sensitive information in 404 error responses, potentially allowing malicious scripts to be inserted into the response. The vulnerability primarily affects cf-release versions up to v231 and the Elastic Runtime versions prior to 1.5.19 and 1.6.x versions before 1.6.20, highlighting the necessity for prompt updates and security patches.

Affected Version(s)

Cloud Foundry cf-release v231 and lower

Cloud Foundry Elastic Runtime versions prior to 1.5.19 AND 1.6.x versions prior to 1.6.20

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.