Cloud Foundry Logo
blog single gear
Blog
Security Advisory

CVE-2016-2165 Loggregator Request URL Paths

by: March 23, 2016

CVE-2016-2165 Loggregator Request URL Paths

Severity

Medium

Vendor

Cloud Foundry Foundation, VMware Cloud Foundry

Versions Affected

  • cf-release v231 and lower

Description

The Loggregator Traffic Controller endpoints are not cleansing request URL paths when they are invalid and is returning them in the 404 response. This could allow malicious scripts to be written directly into the 404 response.

Mitigation

Users of affected versions should apply the following mitigation:

  • Upgrade to cf-release v233 [1] (cf-release v232 is not recommended for use)

Credit

IBM Security, CoreLogic

References

History

2016-Mar-23: Initial vulnerability report published to pivotal.io

2017-Sep-09: Initial vulnerability report published to cloudfoundry.org

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES

You Might Also Like

CVE-2018-15754: UAA issues tokens across identity providers if users with matching usernames exist
Security Advisory

CVE-2018-15754: UAA issues tokens across identity providers if users with matching usernames exist

by Cloud Foundry Foundation Security Team December 10, 2018
USN-4019-1: SQLite vulnerabilities
Security Advisory

USN-4019-1: SQLite vulnerabilities

by Cloud Foundry Foundation Security Team July 10, 2019
CVE-2014-8159 – Linux Kernel Infiniband Vulnerability
Security Advisory

CVE-2014-8159 – Linux Kernel Infiniband Vulnerability

by Cloud Foundry Foundation Security Team March 13, 2015
This website uses cookies to offer you a better browsing experience. Find out more about how we use cookies and how you can change your settings. Accept