App Autoscaler logs credentials
CVE-2020-5414

5.7MEDIUM

Key Information:

Vendor: Vmware Tanzu
Status: Pcf Autoscaling; Operations Manager; Vmware Tanzu Application Service For Vms
Vendor: CVE Published:; 31 July 2020

🔔 Create Vmware Tanzu Vulnerability Alert

What is CVE-2020-5414?

VMware Tanzu Application Service for VMs (2.7.x versions prior to 2.7.19, 2.8.x versions prior to 2.8.13, and 2.9.x versions prior to 2.9.7) contains an App Autoscaler that logs the UAA admin password. This credential is redacted on VMware Tanzu Operations Manager; however, the unredacted logs are available to authenticated users of the BOSH Director. This credential would grant administrative privileges to a malicious user. The same versions of App Autoscaler also log the App Autoscaler Broker password. Prior to newer versions of Operations Manager, this credential was not redacted from logs. This credential allows a malicious user to create, delete, and modify App Autoscaler services instances. Operations Manager started redacting this credential from logs as of its versions 2.7.15, 2.8.6, and 2.9.1. Note that these logs are typically only visible to foundation administrators and operators.

Affected Version(s)

Operations Manager 2.7 < 2.7.15

Operations Manager 2.8 < 2.8.6

Operations Manager 2.9 < 2.9.1

References

https://tanzu.vmware.com/security/cve-2020-5414

x_refsource_CONFIRM

CVSS V3.1

Score:

5.7

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 31, 2020
Vulnerability Reserved
Jan 3, 2020