{"api_version":"1","generated_at":"2026-04-22T23:29:16+00:00","cve":"CVE-2016-5016","urls":{"html":"https://cve.report/CVE-2016-5016","api":"https://cve.report/api/cve/CVE-2016-5016.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2016-5016","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2016-5016"},"summary":{"title":"CVE-2016-5016","description":"Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before 1.6.35, and PCF Elastic Runtime 1.7.x before 1.7.13 does not validate if a certificate is expired.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2017-04-24 19:59:00","updated_at":"2019-02-26 17:18:00"},"problem_types":["CWE-295"],"metrics":[],"references":[{"url":"https://github.com/cloudfoundry/uaa-release/releases/tag/v12.3","name":"https://github.com/cloudfoundry/uaa-release/releases/tag/v12.3","refsource":"CONFIRM","tags":["Release Notes","Third Party Advisory"],"title":"Release Updated to UAA 3.4.2 · cloudfoundry/uaa-release · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://pivotal.io/security/cve-2016-5016","name":"https://pivotal.io/security/cve-2016-5016","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"CVE-2016-5016 UAA accepts expired certificates | Security | VMware Tanzu","mime":"text/html","httpstatus":"403","archivestatus":"200"},{"url":"https://github.com/cloudfoundry/cf-release/releases/tag/v240","name":"https://github.com/cloudfoundry/cf-release/releases/tag/v240","refsource":"CONFIRM","tags":["Release Notes","Third Party Advisory"],"title":"Release v240 · cloudfoundry-attic/cf-release · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/cloudfoundry/uaa-release/releases/tag/v11.3","name":"https://github.com/cloudfoundry/uaa-release/releases/tag/v11.3","refsource":"CONFIRM","tags":["Release Notes","Third Party Advisory"],"title":"Release Updated to UAA 3.3.0.3 · cloudfoundry/uaa-release · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/cloudfoundry/uaa/releases/tag/3.4.2","name":"https://github.com/cloudfoundry/uaa/releases/tag/3.4.2","refsource":"CONFIRM","tags":["Release Notes","Third Party Advisory"],"title":"Release UAA 3.4.2 - Security Release (CVE-2016-5016) · cloudfoundry/uaa · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.3","name":"https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.3","refsource":"CONFIRM","tags":["Release Notes","Third Party Advisory"],"title":"Release UAA 3.3.0.3 - Security Release (CVE-2016-5016) · cloudfoundry/uaa · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.6","name":"https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.6","refsource":"CONFIRM","tags":["Release Notes","Third Party Advisory"],"title":"Release UAA 2.7.4.6 - Security Release (CVE-2016-5016) · cloudfoundry/uaa · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2016-5016","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-5016","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2016","cve_id":"5016","vulnerable":"1","versionEndIncluding":"239","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"pivotal_software","cpe5":"cloud_foundry","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"5016","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"pivotal_software","cpe5":"cloud_foundry_elastic_runtime","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"5016","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"pivotal_software","cpe5":"cloud_foundry_elastic_runtime","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"5016","vulnerable":"1","versionEndIncluding":"3.4.1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"pivotal_software","cpe5":"cloud_foundry_uaa","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"5016","vulnerable":"1","versionEndIncluding":"12.2","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"pivotal_software","cpe5":"cloud_foundry_uaa-release","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"secalert@redhat.com","ID":"CVE-2016-5016","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before 1.6.35, and PCF Elastic Runtime 1.7.x before 1.7.13 does not validate if a certificate is expired."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.6","refsource":"CONFIRM","url":"https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.6"},{"name":"https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.3","refsource":"CONFIRM","url":"https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.3"},{"name":"https://github.com/cloudfoundry/uaa-release/releases/tag/v12.3","refsource":"CONFIRM","url":"https://github.com/cloudfoundry/uaa-release/releases/tag/v12.3"},{"name":"https://github.com/cloudfoundry/uaa/releases/tag/3.4.2","refsource":"CONFIRM","url":"https://github.com/cloudfoundry/uaa/releases/tag/3.4.2"},{"name":"https://github.com/cloudfoundry/cf-release/releases/tag/v240","refsource":"CONFIRM","url":"https://github.com/cloudfoundry/cf-release/releases/tag/v240"},{"name":"https://pivotal.io/security/cve-2016-5016","refsource":"CONFIRM","url":"https://pivotal.io/security/cve-2016-5016"},{"name":"https://github.com/cloudfoundry/uaa-release/releases/tag/v11.3","refsource":"CONFIRM","url":"https://github.com/cloudfoundry/uaa-release/releases/tag/v11.3"}]}},"nvd":{"publishedDate":"2017-04-24 19:59:00","lastModifiedDate":"2019-02-26 17:18:00","problem_types":["CWE-295"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":5.9,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.2,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:pivotal_software:cloud_foundry_uaa:*:*:*:*:*:*:*:*","versionEndIncluding":"3.4.1","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:pivotal_software:cloud_foundry:*:*:*:*:*:*:*:*","versionEndIncluding":"239","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:*:*:*:*:*:*:*:*","versionStartIncluding":"1.6.0","versionEndExcluding":"1.6.35","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:*:*:*:*:*:*:*:*","versionStartIncluding":"1.7.0","versionEndExcluding":"1.7.13","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:pivotal_software:cloud_foundry_uaa-release:*:*:*:*:*:*:*:*","versionEndIncluding":"12.2","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2016","CveId":"5016","Ordinal":"90960","Title":"CVE-2016-5016","CVE":"CVE-2016-5016","Year":"2016"},"notes":[{"CveYear":"2016","CveId":"5016","Ordinal":"1","NoteData":"Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before 1.6.35, and PCF Elastic Runtime 1.7.x before 1.7.13 does not validate if a certificate is expired.","Type":"Description","Title":null},{"CveYear":"2016","CveId":"5016","Ordinal":"2","NoteData":"2017-04-24","Type":"Other","Title":"Published"},{"CveYear":"2016","CveId":"5016","Ordinal":"3","NoteData":"2017-04-24","Type":"Other","Title":"Modified"}]}}}