PCF Autoscaling logs its database credentials
CVE-2020-5406
6.5MEDIUM
What is CVE-2020-5406?
VMware Tanzu Application Service for VMs, 2.6.x versions prior to 2.6.18, 2.7.x versions prior to 2.7.11, and 2.8.x versions prior to 2.8.5, includes a version of PCF Autoscaling that writes database connection properties to its log, including database username and password. A malicious user with access to those logs may gain unauthorized access to the database being used by Autoscaling.
Affected Version(s)
VMware Tanzu Application Service for VMs 2.8.x < 2.8.5
VMware Tanzu Application Service for VMs 2.7.x < 2.7.11
VMware Tanzu Application Service for VMs 2.6.x < 2.6.18
