Description

Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before 1.6.35, and PCF Elastic Runtime 1.7.x before 1.7.13 does not validate if a certificate is expired.

Remediation

References

https://github.com/cloudfoundry/cf-release/releases/tag/v240

https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.6

https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.3

https://github.com/cloudfoundry/uaa/releases/tag/3.4.2

https://github.com/cloudfoundry/uaa-release/releases/tag/v11.3

https://github.com/cloudfoundry/uaa-release/releases/tag/v12.3

https://pivotal.io/security/cve-2016-5016

Related Vulnerabilities

CVE-2018-15494 Vulnerability in maven package org.webjars.bowergithub.dojo:dojox

CVE-2021-21304 Vulnerability in npm package dynamoose

CVE-2018-20242 Vulnerability in maven package org.apache.jspwiki:jspwiki-war

CVE-2020-11009 Vulnerability in maven package org.rundeck:rundeck

CVE-2022-21191 Vulnerability in npm package global-modules-path

Severity

Medium

Classification

CWE-295 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Release Notes Third Party Advisory Vendor Advisory