PT-2017-8010 · Pivotal+1 · Pivotal Elastic Runtime+1
Published
2017-05-25
·
Updated
2021-08-25
·
CVE-2016-2165
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Pivotal Elastic Runtime versions prior to 1.5.19
Pivotal Elastic Runtime versions 1.6.x prior to 1.6.20
cf-release versions prior to v231
Description
The issue concerns the Loggregator Traffic Controller endpoints, which are not properly cleansing request URL paths when they are invalid. As a result, these invalid paths are returned in the 404 response, potentially allowing malicious scripts to be injected directly into the response.
Recommendations
For Pivotal Elastic Runtime versions prior to 1.5.19, update to version 1.5.19 or later.
For Pivotal Elastic Runtime versions 1.6.x prior to 1.6.20, update to version 1.6.20 or later.
For cf-release versions prior to v231, update to version v231 or later.
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pivotal Elastic Runtime
Cf-Release