CVE-2016-2165 : The Loggregator Traffic Controller endpoints in cf-release v231 and lower, Pivot

The Loggregator Traffic Controller endpoints in cf-release v231 and lower, Pivotal Elastic Runtime versions prior to 1.5.19 AND 1.6.x versions prior to 1.6.20 are not cleansing request URL paths when they are invalid and are returning them in the 404 response. This could allow malicious scripts to be written directly into the 404 response.

Published 2017-05-25 17:29:01

Updated 2021-08-25 21:15:26

Source Dell

View at NVD, CVE.org

Vulnerability category: Input validation

Products affected by CVE-2016-2165

Pivotal Software » Cloud Foundry Elastic Runtime
Versions up to, including, (<=) 1.5.18
cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:*:*:*:*:*:*:*:*
Matching versions
Pivotal Software » Cloud Foundry Elastic Runtime » Version: 1.6.4
cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.4:*:*:*:*:*:*:*
Matching versions
Pivotal Software » Cloud Foundry Elastic Runtime » Version: 1.6.5
cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.5:*:*:*:*:*:*:*
Matching versions
Pivotal Software » Cloud Foundry Elastic Runtime » Version: 1.6.6
cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.6:*:*:*:*:*:*:*
Matching versions
Pivotal Software » Cloud Foundry Elastic Runtime » Version: 1.6.7
cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.7:*:*:*:*:*:*:*
Matching versions
Pivotal Software » Cloud Foundry Elastic Runtime » Version: 1.6.1
cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.1:*:*:*:*:*:*:*
Matching versions
Pivotal Software » Cloud Foundry Elastic Runtime » Version: 1.6.3
cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.3:*:*:*:*:*:*:*
Matching versions
Pivotal Software » Cloud Foundry Elastic Runtime » Version: 1.6.8
cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.8:*:*:*:*:*:*:*
Matching versions
Pivotal Software » Cloud Foundry Elastic Runtime » Version: 1.6.10
cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.10:*:*:*:*:*:*:*
Matching versions
Pivotal Software » Cloud Foundry Elastic Runtime » Version: 1.6.12
cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.12:*:*:*:*:*:*:*
Matching versions
Pivotal Software » Cloud Foundry Elastic Runtime » Version: 1.6.13
cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.13:*:*:*:*:*:*:*
Matching versions
Pivotal Software » Cloud Foundry Elastic Runtime » Version: 1.6.14
cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.14:*:*:*:*:*:*:*
Matching versions
Pivotal Software » Cloud Foundry Elastic Runtime » Version: 1.6.15
cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.15:*:*:*:*:*:*:*
Matching versions
Pivotal Software » Cloud Foundry Elastic Runtime » Version: 1.6.0
cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.0:*:*:*:*:*:*:*
Matching versions
Pivotal Software » Cloud Foundry Elastic Runtime » Version: 1.6.2
cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.2:*:*:*:*:*:*:*
Matching versions
Pivotal Software » Cloud Foundry Elastic Runtime » Version: 1.6.9
cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.9:*:*:*:*:*:*:*
Matching versions
Pivotal Software » Cloud Foundry Elastic Runtime » Version: 1.6.11
cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.11:*:*:*:*:*:*:*
Matching versions
Pivotal Software » Cloud Foundry Elastic Runtime » Version: 1.6.16
cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.16:*:*:*:*:*:*:*
Matching versions
Pivotal Software » Cloud Foundry Elastic Runtime » Version: 1.6.17
cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.17:*:*:*:*:*:*:*
Matching versions
Pivotal Software » Cloud Foundry Elastic Runtime » Version: 1.6.19
cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.19:*:*:*:*:*:*:*
Matching versions
Pivotal Software » Cloud Foundry Elastic Runtime » Version: 1.6.18
cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.18:*:*:*:*:*:*:*
Matching versions
Cloudfoundry » Cf-release
Versions up to, including, (<=) 231
cpe:2.3:a:cloudfoundry:cf-release:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2016-2165

EPSS FAQ

0.26%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 46 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2016-2165

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2016-2165

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-2165

https://pivotal.io/security/cve-2016-2165

CVE-2016-2165 Loggregator Request URL Paths | Security | Pivotal
Vendor Advisory

Jump to

Vulnerability Details : CVE-2016-2165

Products affected by CVE-2016-2165

Exploit prediction scoring system (EPSS) score for CVE-2016-2165

CVSS scores for CVE-2016-2165

CWE ids for CVE-2016-2165

References for CVE-2016-2165