CredHub does not properly enable TLS for MySQL database connections
CVE-2020-5399

7.6HIGH

Key Information:

Vendor: Cloud Foundry
Status: Credhub
Vendor: CVE Published:; 12 February 2020

🔔 Create Cloud Foundry Vulnerability Alert

What is CVE-2020-5399?

Cloud Foundry CredHub, versions prior to 2.5.10, connects to a MySQL database without TLS even when configured to use TLS. A malicious user with access to the network between CredHub and its MySQL database may eavesdrop on database connections and thereby gain unauthorized access to CredHub and other components.

Affected Version(s)

CredHub Edge < 2.5.10

References

https://www.cloudfoundry.org/blog/cve-2020-5399

x_refsource_CONFIRM

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

CVSS V3.0

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 12, 2020
Vulnerability Reserved
Jan 3, 2020

CVE-2020-5399 Data

JSON