{"id":"CVE-2016-2165","details":"The Loggregator Traffic Controller endpoints in cf-release v231 and lower, Pivotal Elastic Runtime versions prior to 1.5.19 AND 1.6.x versions prior to 1.6.20 are not cleansing request URL paths when they are invalid and are returning them in the 404 response. This could allow malicious scripts to be written directly into the 404 response.","modified":"2026-04-11T12:02:31.642605Z","published":"2017-05-25T17:29:00.600Z","database_specific":{"unresolved_ranges":[{"cpe":"cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:*:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"1.5.18"}]},{"cpe":"cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.10:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"1.6.10"}]},{"cpe":"cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.11:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"1.6.11"}]},{"cpe":"cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.12:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"1.6.12"}]},{"cpe":"cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.13:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"1.6.13"}]},{"cpe":"cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.14:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"1.6.14"}]},{"cpe":"cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.15:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"1.6.15"}]},{"cpe":"cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.16:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"1.6.16"}]},{"cpe":"cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.17:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"1.6.17"}]},{"cpe":"cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.18:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"1.6.18"}]},{"cpe":"cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.19:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"1.6.19"}]},{"cpe":"cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.6:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"1.6.6"}]},{"cpe":"cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.7:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"1.6.7"}]},{"cpe":"cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.8:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"1.6.8"}]},{"cpe":"cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.9:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"1.6.9"}]}]},"references":[{"type":"ADVISORY","url":"https://pivotal.io/security/cve-2016-2165"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cloudfoundry-attic/cf-release","events":[{"introduced":"0"},{"last_affected":"9e31b98e104825c136d96a711bec2135f4a6ed33"}],"database_specific":{"cpe":"cpe:2.3:a:cloudfoundry:cf-release:*:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"231"}]}}],"versions":["-","list","log","rc145.0","scotty_09012012","v100","v102","v103","v104","v105","v109","v119","v132","v133","v134","v135","v136","v137","v140","v143","v156","v157","v161","v170","v183","v205","v231","v99","works-for-us"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-2165.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/cloudfoundry/uaa","events":[{"introduced":"0"},{"last_affected":"ae59bf11fec166fd075b1dbead2ae16effa57e3f"},{"last_affected":"96b1fc8e3a982b6f478e363f3919a4a16e0a6a92"},{"last_affected":"58caa488fe3cc30f745b9f5079c42141d606436b"},{"last_affected":"e0080f861db5b30c0793973e5c4fff7153040ecb"},{"last_affected":"bb75c2730c921667652b4589d67bec2246b1f306"},{"last_affected":"cde7ba5da9b64cb45bd64c61c6fb2899bbc3e0f2"}],"database_specific":{"cpe":["cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.0:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.1:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.2:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.3:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.4:*:*:*:*:*:*:*","cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:1.6.5:*:*:*:*:*:*:*"],"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"1.6.0"},{"last_affected":"1.6.1"},{"last_affected":"1.6.2"},{"last_affected":"1.6.3"},{"last_affected":"1.6.4"},{"last_affected":"1.6.5"}]}}],"versions":["1.0.1","1.0.3","1.1","1.1.1","1.1.2","1.2.0","1.2.6","1.4.0","1.4.1","1.4.2","1.4.3","1.4.5","1.4.6","1.4.7","1.5.0","1.5.2","1.5.2.1","1.5.3","1.5.4","1.5.4.1","1.6.0","1.6.1","1.6.2","1.6.3","1.6.4","1.6.5"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-2165.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}]}