PCF Autoscaling logs its database credentials
CVE-2020-5406

6.5MEDIUM

Key Information:

Vendor

Pivotal

Vendor
CVE Published:
10 April 2020

What is CVE-2020-5406?

VMware Tanzu Application Service for VMs, 2.6.x versions prior to 2.6.18, 2.7.x versions prior to 2.7.11, and 2.8.x versions prior to 2.8.5, includes a version of PCF Autoscaling that writes database connection properties to its log, including database username and password. A malicious user with access to those logs may gain unauthorized access to the database being used by Autoscaling.

Affected Version(s)

VMware Tanzu Application Service for VMs 2.8.x < 2.8.5

VMware Tanzu Application Service for VMs 2.7.x < 2.7.11

VMware Tanzu Application Service for VMs 2.6.x < 2.6.18

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.