CVE-2016-0708 - OpenCVE

Applications deployed to Cloud Foundry, versions v166 through v227, may be vulnerable to a remote disclosure of information, including, but not limited to environment variables and bound service details. For applications to be vulnerable, they must have been staged using automatic buildpack detection, passed through the Java Buildpack detection script, and allow the serving of static content from within the deployed artifact. The default Apache Tomcat configuration in the affected java buildpack versions for some basic web application archive (WAR) packaged applications are vulnerable to this issue.

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Cloudfoundry	Java Buildpack Cf-release

Configuration 1 [-]

OR	cpe:2.3:a:cloudfoundry:cf-release::::::::
	cpe:2.3:a:cloudfoundry:java_buildpack::::::::

References

Link	Resource
https://www.cloudfoundry.org/blog/cve-2016-0708/	Mitigation Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: dell

Published: 2018-07-11T20:00:00

Updated: 2018-07-11T19:57:01

Reserved: 2015-12-16T00:00:00

Link: CVE-2016-0708

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-07-11T20:29:00.227

Modified: 2018-09-11T18:49:33.573

Link: CVE-2016-0708

JSON object: View

Redhat Information

No data.

CWE

CWE-200

{"containers": {"cna": {"affected": [{"product": "Cloud Foundry", "vendor": "Cloud Foundry", "versions": [{"status": "affected", "version": "versions v166 through v227"}]}], "datePublic": "2016-01-18T00:00:00", "descriptions": [{"lang": "en", "value": "Applications deployed to Cloud Foundry, versions v166 through v227, may be vulnerable to a remote disclosure of information, including, but not limited to environment variables and bound service details. For applications to be vulnerable, they must have been staged using automatic buildpack detection, passed through the Java Buildpack detection script, and allow the serving of static content from within the deployed artifact. The default Apache Tomcat configuration in the affected java buildpack versions for some basic web application archive (WAR) packaged applications are vulnerable to this issue."}], "problemTypes": [{"descriptions": [{"description": "Information disclosure", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-07-11T19:57:01", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.cloudfoundry.org/blog/cve-2016-0708/"}], "source": {"discovery": "UNKNOWN"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security_alert@emc.com", "ID": "CVE-2016-0708", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Cloud Foundry", "version": {"version_data": [{"version_value": "versions v166 through v227"}]}}]}, "vendor_name": "Cloud Foundry"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Applications deployed to Cloud Foundry, versions v166 through v227, may be vulnerable to a remote disclosure of information, including, but not limited to environment variables and bound service details. For applications to be vulnerable, they must have been staged using automatic buildpack detection, passed through the Java Buildpack detection script, and allow the serving of static content from within the deployed artifact. The default Apache Tomcat configuration in the affected java buildpack versions for some basic web application archive (WAR) packaged applications are vulnerable to this issue."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Information disclosure"}]}]}, "references": {"reference_data": [{"name": "https://www.cloudfoundry.org/blog/cve-2016-0708/", "refsource": "CONFIRM", "url": "https://www.cloudfoundry.org/blog/cve-2016-0708/"}]}, "source": {"discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2016-0708", "datePublished": "2018-07-11T20:00:00", "dateReserved": "2015-12-16T00:00:00", "dateUpdated": "2018-07-11T19:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cloudfoundry:cf-release:*:*:*:*:*:*:*:*", "matchCriteriaId": "702C39AA-F1A9-48C6-BA11-D0A12B20F3D4", "versionEndIncluding": "227", "versionStartIncluding": "166", "vulnerable": true}, {"criteria": "cpe:2.3:a:cloudfoundry:java_buildpack:*:*:*:*:*:*:*:*", "matchCriteriaId": "2C70F440-364D-412F-A05C-F170E7F9A463", "versionEndIncluding": "3.4", "versionStartIncluding": "2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Applications deployed to Cloud Foundry, versions v166 through v227, may be vulnerable to a remote disclosure of information, including, but not limited to environment variables and bound service details. For applications to be vulnerable, they must have been staged using automatic buildpack detection, passed through the Java Buildpack detection script, and allow the serving of static content from within the deployed artifact. The default Apache Tomcat configuration in the affected java buildpack versions for some basic web application archive (WAR) packaged applications are vulnerable to this issue."}, {"lang": "es", "value": "Las aplicaciones desplegadas en Cloud Foundry, desde la versi\u00f3n v166 hasta la v227, podr\u00edan ser vulnerables a una divulgaci\u00f3n de informaci\u00f3n remota que incluye, pero no se limita a, las variables de entorno y los detalles del servicio bound. Para que las aplicaciones sean vulnerables, deben haber sido preparadas mediante la detecci\u00f3n autom\u00e1tica de buildpack, pasadas a trav\u00e9s del script de detecci\u00f3n de Java Buildpack y deben permitir que se sirva contenido est\u00e1tico desde dentro del artefactos desplegados. La configuraci\u00f3n por defecto de Apache Tomcat en las versiones afectadas del Buildpack de Java para algunas aplicaciones WAR (web application archive) empaquetadas son vulnerables a este problema."}], "id": "CVE-2016-0708", "lastModified": "2018-09-11T18:49:33.573", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-07-11T20:29:00.227", "references": [{"source": "security_alert@emc.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://www.cloudfoundry.org/blog/cve-2016-0708/"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}