CVE-2016-5016

MEDIUM

Pivotal Software Cloud Foundry < 239 - Improper Certificate Validation

Title source: rule

Description

Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before 1.6.35, and PCF Elastic Runtime 1.7.x before 1.7.13 does not validate if a certificate is expired.

References (7)

[Release Notes, Third Party Advisory] https://github.com/cloudfoundry/cf-release/releases/tag/v240

[Release Notes, Third Party Advisory] https://github.com/cloudfoundry/uaa-release/releases/tag/v11.3

[Release Notes, Third Party Advisory] https://github.com/cloudfoundry/uaa-release/releases/tag/v12.3

[Release Notes, Third Party Advisory] https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.6

[Release Notes, Third Party Advisory] https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.3

[Release Notes, Third Party Advisory] https://github.com/cloudfoundry/uaa/releases/tag/3.4.2

[Vendor Advisory] https://pivotal.io/security/cve-2016-5016

Scores

CVSS v3 5.9

EPSS 0.0028

EPSS Percentile 50.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Classification

CWE

CWE-295

Status published

Affected Products (6)

pivotal_software/cloud_foundry < 239

pivotal_software/cloud_foundry_elastic_runtime < 1.6.35

pivotal_software/cloud_foundry_uaa < 3.4.1

pivotal_software/cloud_foundry_uaa-release < 12.2

org.cloudfoundry.identity/cloudfoundry-identity-server < 3.3.0.3Maven

n/a/n/a

Timeline

Published Apr 24, 2017

Tracked Since Feb 18, 2026