Support Content Notification - Support Portal

CVE-2020-5406: PCF Autoscaling logs its database credentials

Product/Component

Notification Id

23744

Last Updated

09 April 2020

Initial Publication Date

09 April 2020

Status

CLOSED

Severity

HIGH

CVSS Base Score

WorkAround

Affected CVE

CVE-2020-5406

Severity

High

Vendor

Pivotal

Description

VMware Tanzu Application Service for VMs, 2.6.x versions prior to 2.6.18, 2.7.x versions prior to 2.7.11, and 2.8.x versions prior to 2.8.5, includes a version of PCF Autoscaling that writes database connection properties to its log, including database username and password. A malicious user with access to those logs may gain unauthorized access to the database being used by Autoscaling.

Affected VMware Products and Versions

Severity is high unless otherwise noted.

VMware Tanzu Application Service for VMs
- 2.6.x versions prior to 2.6.18
- 2.7.x versions prior to 2.7.11
- 2.8.x versions prior to 2.8.5

Mitigation

Users of affected versions should apply the following mitigation or upgrade:

VMware Tanzu Application Service for VMs
- 2.6.18
- 2.7.11
- 2.8.5

References

History

2020-04-09: Initial vulnerability report published.