CVE-2016-5016 — Cloud Foundry vulnerable to Improper Certificate Validation

Description

Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before 1.6.35, and PCF Elastic Runtime 1.7.x before 1.7.13 does not validate if a certificate is expired.

How to fix CVE-2016-5016

To remediate CVE-2016-5016, upgrade the affected package to a fixed version below.

—upgrade to 3.3.0.3 or later

Is CVE-2016-5016 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 3.0.0, < 3.3.0.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.9	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References (11)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-5016
WEBgithub.com/cloudfoundry/cf-release/releases/tag/v240
WEBgithub.com/cloudfoundry/uaa/commit/0a78612f981c541ad2d997e6a365f2a0b3e799d9
WEBgithub.com/cloudfoundry/uaa/commit/bc91ccd2029e8f1cea0c647f0c9aad4585f7a2c