CVE-2020-5414
Published: Jul 31, 2020
Modified: Sep 17, 2024
CVSS v3.0
5.7
Description
VMware Tanzu Application Service for VMs (2.7.x versions prior to 2.7.19, 2.8.x versions prior to 2.8.13, and 2.9.x versions prior to 2.9.7) contains an App Autoscaler that logs the UAA admin password. This credential is redacted on VMware Tanzu Operations Manager; however, the unredacted logs are available to authenticated users of the BOSH Director. This credential would grant administrative privileges to a malicious user. The same versions of App Autoscaler also log the App Autoscaler Broker password. Prior to newer versions of Operations Manager, this credential was not redacted from logs. This credential allows a malicious user to create, delete, and modify App Autoscaler services instances. Operations Manager started redacting this credential from logs as of its versions 2.7.15, 2.8.6, and 2.9.1. Note that these logs are typically only visible to foundation administrators and operators.
| Vendor | Product | Versions |
|---|---|---|
VMware Tanzu | PCF Autoscaling | affected All - < v232 |
VMware Tanzu | Operations Manager | affected 2.7 - < 2.7.15affected 2.8 - < 2.8.6affected 2.9 - < 2.9.1 |
VMware Tanzu | VMware Tanzu Application Service for VMs | affected 2.9.x - < 2.9.7affected 2.7.x - < 2.7.19affected 2.8.x - < 2.8.13 |
Weaknesses (CWE)
CVSS v3.0 Details
CVSS v3.0 Vector
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now