CVE-2016-2165 Loggregator Request URL Paths


Severity

Medium

Vendor

Cloud Foundry Foundation, Pivotal Cloud Foundry

Versions Affected
  • cf-release v231 and lower
  • Pivotal Elastic Runtime versions prior to 1.5.19 AND 1.6.x versions prior to 1.6.20
Description

The Loggregator Traffic Controller endpoints are not cleansing request URL paths when they are invalid and is returning them in the 404 response. This could allow malicious scripts to be written directly into the 404 response.

Mitigation

Users of affected versions should apply the following mitigation:

  • Upgrade to cf-release v233 [1] (cf-release v232 is not recommended for use)
  • Upgrade Pivotal Elastic Runtime 1.5.x versions to 1.5.19 or later OR 1.6.x versions to 1.6.20 or later
Credit

IBM Security, CoreLogic

References
History

2016-Mar-23: Initial vulnerability report published