Strix
26.1K

CVE-2016-6658

UnknownEPSS 0.88%

Last modified

CVE-2016-6658 is a vulnerability of currently unknown severity. Applications in cf-release before 245 can be configured and pushed with a user-provided custom buildpack using a URL pointing to the buildpack. Although it is not recommended, a user can specify a credential in the URL (basic auth or OAuth) to access the buildpack through the CLI. EPSS estimates a 0.88% chance of exploitation in the next 30 days.

Description

Applications in cf-release before 245 can be configured and pushed with a user-provided custom buildpack using a URL pointing to the buildpack. Although it is not recommended, a user can specify a credential in the URL (basic auth or OAuth) to access the buildpack through the CLI. For example, the user could include a GitHub username and password in the URL to access a private repo. Because the URL to access the buildpack is stored unencrypted, an operator with privileged access to the Cloud Controller database could view these credentials.

Metrics

EPSS Probability
0.88%

54.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
CloudfoundryCf-Release< 245
Pivotal SoftwareCloud Foundry Elastic Runtime< 1.6.49
Pivotal SoftwareCloud Foundry Elastic Runtime>= 1.7.0, < 1.7.31
Pivotal SoftwareCloud Foundry Elastic Runtime>= 1.8.0, < 1.8.11

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2016-6658?
Applications in cf-release before 245 can be configured and pushed with a user-provided custom buildpack using a URL pointing to the buildpack. Although it is not recommended, a user can specify a credential in the URL (basic auth or OAuth) to access the buildpack through the CLI. For example, the user could include a GitHub username and password in the URL to access a private repo. Because the URL to access the buildpack is stored unencrypted, an operator with privileged access to the Cloud Controller database could view these credentials.
How severe is CVE-2016-6658?
Severity scoring for CVE-2016-6658 is pending analysis. The EPSS model estimates a 0.88% probability of exploitation in the next 30 days.
How do I fix CVE-2016-6658?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2016-6658?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST