Description

Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before 1.6.35, and PCF Elastic Runtime 1.7.x before 1.7.13 does not validate if a certificate is expired.

Remediation

References

https://github.com/cloudfoundry/cf-release/releases/tag/v240

https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.6

https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.3

https://github.com/cloudfoundry/uaa/releases/tag/3.4.2

https://github.com/cloudfoundry/uaa-release/releases/tag/v11.3

https://github.com/cloudfoundry/uaa-release/releases/tag/v12.3

https://pivotal.io/security/cve-2016-5016

Related Vulnerabilities

CVE-2019-19703 Vulnerability in maven package io.ktor:ktor-client-core

CVE-2019-16777 Vulnerability in maven package org.webjars.npm:bin-links

CVE-2016-10735 Vulnerability in maven package org.webjars.bowergithub.jasny:bootstrap

CVE-2020-2204 Vulnerability in maven package org.jenkins-ci.plugins:fortify-on-demand-uploader

CVE-2017-1000228 Vulnerability in npm package ejs

Severity

Medium

Classification

CWE-295 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Release Notes Third Party Advisory Vendor Advisory