Description

Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before 1.6.35, and PCF Elastic Runtime 1.7.x before 1.7.13 does not validate if a certificate is expired.

Remediation

References

https://github.com/cloudfoundry/cf-release/releases/tag/v240

https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.6

https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.3

https://github.com/cloudfoundry/uaa/releases/tag/3.4.2

https://github.com/cloudfoundry/uaa-release/releases/tag/v11.3

https://github.com/cloudfoundry/uaa-release/releases/tag/v12.3

https://pivotal.io/security/cve-2016-5016

Related Vulnerabilities

CVE-2021-21346 Vulnerability in maven package com.thoughtworks.xstream:xstream

CVE-2022-31197 Vulnerability in maven package org.postgresql:postgresql

CVE-2020-7772 Vulnerability in npm package doc-path

CVE-2019-5438 Vulnerability in npm package harp

CVE-2022-39366 Vulnerability in maven package io.acryl:datahub-client

Severity

Medium

Classification

CWE-295 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Release Notes Third Party Advisory Vendor Advisory