CVE-2016-2165 Loggregator Request URL Paths
Severity
Medium
Vendor
Cloud Foundry Foundation, Pivotal Cloud Foundry
Versions Affected
- cf-release v231 and lower
- Pivotal Elastic Runtime versions prior to 1.5.19 AND 1.6.x versions prior to 1.6.20
Description
The Loggregator Traffic Controller endpoints are not cleansing request URL paths when they are invalid and is returning them in the 404 response. This could allow malicious scripts to be written directly into the 404 response.
Mitigation
Users of affected versions should apply the following mitigation:
- Upgrade to cf-release v233 [1] (cf-release v232 is not recommended for use)
- Upgrade Pivotal Elastic Runtime 1.5.x versions to 1.5.19 or later OR 1.6.x versions to 1.6.20 or later
Credit
IBM Security, CoreLogic
References
History
2016-Mar-23: Initial vulnerability report published