Cloud Foundry Logo
blog single gear
Blog
Security Advisory

CVE-2016-2165 Loggregator Request URL Paths

by: March 23, 2016

CVE-2016-2165 Loggregator Request URL Paths

Severity

Medium

Vendor

Cloud Foundry Foundation, VMware Cloud Foundry

Versions Affected

  • cf-release v231 and lower

Description

The Loggregator Traffic Controller endpoints are not cleansing request URL paths when they are invalid and is returning them in the 404 response. This could allow malicious scripts to be written directly into the 404 response.

Mitigation

Users of affected versions should apply the following mitigation:

  • Upgrade to cf-release v233 [1] (cf-release v232 is not recommended for use)

Credit

IBM Security, CoreLogic

References

History

2016-Mar-23: Initial vulnerability report published to pivotal.io

2017-Sep-09: Initial vulnerability report published to cloudfoundry.org

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES

You Might Also Like

USN-4891-1: OpenSSL vulnerability
Security Advisory

USN-4891-1: OpenSSL vulnerability

by Cloud Foundry Foundation Security Team April 14, 2021
USN-5150-1: OpenEXR vulnerability
Security Advisory

USN-5150-1: OpenEXR vulnerability

by Cloud Foundry Foundation Security Team January 20, 2022
USN-4132-1: Expat vulnerability
Security Advisory

USN-4132-1: Expat vulnerability

by Cloud Foundry Foundation Security Team September 30, 2019
This website uses cookies to offer you a better browsing experience. Find out more about how we use cookies and how you can change your settings. Accept