CVE-2016-0708 - OpenCVE

Applications deployed to Cloud Foundry, versions v166 through v227, may be vulnerable to a remote disclosure of information, including, but not limited to environment variables and bound service details. For applications to be vulnerable, they must have been staged using automatic buildpack detection, passed through the Java Buildpack detection script, and allow the serving of static content from within the deployed artifact. The default Apache Tomcat configuration in the affected java buildpack versions for some basic web application archive (WAR) packaged applications are vulnerable to this issue.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Cloudfoundry	Cf-release Java Buildpack

Configuration 1 [-]

OR	cpe:2.3:a:cloudfoundry:cf-release::::::::
	cpe:2.3:a:cloudfoundry:java_buildpack::::::::

No data.

References

Link	Providers
https://www.cloudfoundry.org/blog/cve-2016-0708/

History

No history.

MITRE

Status: PUBLISHED

Assigner: dell

Published: 2018-07-11T20:00:00

Updated: 2024-08-05T22:30:03.631Z

Reserved: 2015-12-16T00:00:00

Link: CVE-2016-0708

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2018-07-11T20:29:00.227

Modified: 2018-09-11T18:49:33.573

Link: CVE-2016-0708

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Cloud Foundry", "vendor": "Cloud Foundry", "versions": [{"status": "affected", "version": "versions v166 through v227"}]}], "datePublic": "2016-01-18T00:00:00", "descriptions": [{"lang": "en", "value": "Applications deployed to Cloud Foundry, versions v166 through v227, may be vulnerable to a remote disclosure of information, including, but not limited to environment variables and bound service details. For applications to be vulnerable, they must have been staged using automatic buildpack detection, passed through the Java Buildpack detection script, and allow the serving of static content from within the deployed artifact. The default Apache Tomcat configuration in the affected java buildpack versions for some basic web application archive (WAR) packaged applications are vulnerable to this issue."}], "problemTypes": [{"descriptions": [{"description": "Information disclosure", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-07-11T19:57:01", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.cloudfoundry.org/blog/cve-2016-0708/"}], "source": {"discovery": "UNKNOWN"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security_alert@emc.com", "ID": "CVE-2016-0708", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Cloud Foundry", "version": {"version_data": [{"version_value": "versions v166 through v227"}]}}]}, "vendor_name": "Cloud Foundry"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Applications deployed to Cloud Foundry, versions v166 through v227, may be vulnerable to a remote disclosure of information, including, but not limited to environment variables and bound service details. For applications to be vulnerable, they must have been staged using automatic buildpack detection, passed through the Java Buildpack detection script, and allow the serving of static content from within the deployed artifact. The default Apache Tomcat configuration in the affected java buildpack versions for some basic web application archive (WAR) packaged applications are vulnerable to this issue."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Information disclosure"}]}]}, "references": {"reference_data": [{"name": "https://www.cloudfoundry.org/blog/cve-2016-0708/", "refsource": "CONFIRM", "url": "https://www.cloudfoundry.org/blog/cve-2016-0708/"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T22:30:03.631Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.cloudfoundry.org/blog/cve-2016-0708/"}]}]}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2016-0708", "datePublished": "2018-07-11T20:00:00", "dateReserved": "2015-12-16T00:00:00", "dateUpdated": "2024-08-05T22:30:03.631Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cloudfoundry:cf-release:*:*:*:*:*:*:*:*", "matchCriteriaId": "702C39AA-F1A9-48C6-BA11-D0A12B20F3D4", "versionEndIncluding": "227", "versionStartIncluding": "166", "vulnerable": true}, {"criteria": "cpe:2.3:a:cloudfoundry:java_buildpack:*:*:*:*:*:*:*:*", "matchCriteriaId": "2C70F440-364D-412F-A05C-F170E7F9A463", "versionEndIncluding": "3.4", "versionStartIncluding": "2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Applications deployed to Cloud Foundry, versions v166 through v227, may be vulnerable to a remote disclosure of information, including, but not limited to environment variables and bound service details. For applications to be vulnerable, they must have been staged using automatic buildpack detection, passed through the Java Buildpack detection script, and allow the serving of static content from within the deployed artifact. The default Apache Tomcat configuration in the affected java buildpack versions for some basic web application archive (WAR) packaged applications are vulnerable to this issue."}, {"lang": "es", "value": "Las aplicaciones desplegadas en Cloud Foundry, desde la versi\u00f3n v166 hasta la v227, podr\u00edan ser vulnerables a una divulgaci\u00f3n de informaci\u00f3n remota que incluye, pero no se limita a, las variables de entorno y los detalles del servicio bound. Para que las aplicaciones sean vulnerables, deben haber sido preparadas mediante la detecci\u00f3n autom\u00e1tica de buildpack, pasadas a trav\u00e9s del script de detecci\u00f3n de Java Buildpack y deben permitir que se sirva contenido est\u00e1tico desde dentro del artefactos desplegados. La configuraci\u00f3n por defecto de Apache Tomcat en las versiones afectadas del Buildpack de Java para algunas aplicaciones WAR (web application archive) empaquetadas son vulnerables a este problema."}], "id": "CVE-2016-0708", "lastModified": "2018-09-11T18:49:33.573", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-07-11T20:29:00.227", "references": [{"source": "security_alert@emc.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://www.cloudfoundry.org/blog/cve-2016-0708/"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}