CVE-2016-0708

Name of the Vulnerable Software and Affected Versions Cloud Foundry versions v166 through v227

Description The issue allows for remote disclosure of information, including environment variables and bound service details, in applications deployed to Cloud Foundry. This affects applications that were staged using automatic buildpack detection, passed through the Java Buildpack detection script, and allow the serving of static content from within the deployed artifact. Specifically, the default Apache Tomcat configuration in the affected Java buildpack versions for some basic web application archive (WAR) packaged applications is vulnerable to this issue.

Recommendations For Cloud Foundry versions v166 through v227, to resolve the issue, ensure that applications are not staged using automatic buildpack detection or restrict the serving of static content from within the deployed artifact. Additionally, consider reconfiguring the Apache Tomcat settings to prevent the disclosure of sensitive information.