CVE-2023-20891

Published: Jul 26, 2023

Modified: Oct 21, 2024

PUBLISHED

CVSS v3.1

6.5

MEDIUM

Description

The VMware Tanzu Application Service for VMs and Isolation Segment contain an information disclosure vulnerability due to the logging of credentials in hex encoding in platform system audit logs. A malicious non-admin user who has access to the platform system audit logs can access hex encoded CF API admin credentials and can push new malicious versions of an application. In a default deployment non-admin users do not have access to the platform system audit logs.

Vendor	Product	Versions
VMware	VMware Tanzu Application Service for VMs	affected `4.0.x - < 4.0.5` affected `3.0.x - < 3.0.14` affected `2.13.x - < 2.13.24` affected `2.11.x - < 2.11.42`
VMware	Isolation segment	affected `4.0.x - < 4.0.4` affected `3.0.x - < 3.0.13` affected `2.13.x - < 2.13.20` affected `2.11.x - < 2.11.35`

Weaknesses (CWE)

CWE-532

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

https://www.vmware.com/security/advisories/VMSA-2023-0016.html

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-20891

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References