CVE-2020-5406: PCF Autoscaling logs its database credentials
23744
09 April 2020
09 April 2020
CLOSED
HIGH
CVE-2020-5406
Severity
High
Vendor
Pivotal
Description
VMware Tanzu Application Service for VMs, 2.6.x versions prior to 2.6.18, 2.7.x versions prior to 2.7.11, and 2.8.x versions prior to 2.8.5, includes a version of PCF Autoscaling that writes database connection properties to its log, including database username and password. A malicious user with access to those logs may gain unauthorized access to the database being used by Autoscaling.
Affected VMware Products and Versions
Severity is high unless otherwise noted.
- VMware Tanzu Application Service for VMs
- 2.6.x versions prior to 2.6.18
- 2.7.x versions prior to 2.7.11
- 2.8.x versions prior to 2.8.5
Mitigation
Users of affected versions should apply the following mitigation or upgrade:
- VMware Tanzu Application Service for VMs
- 2.6.18
- 2.7.11
- 2.8.5
References
History
2020-04-09: Initial vulnerability report published.