All Vulnerability Reports

CVE-2020-5423: Cloud Controller is vulnerable to denial of service via YAML parsing


Severity

High

Vendor

VMware Tanzu

Description

VMware Tanzu Application Service for VMs, all versions prior to 2.7.29, all 2.8.x versions, 2.9.x versions prior to 2.9.17, and 2.10.x versions prior to 2.10.9, contain a version of CAPI (Cloud Controller) that is vulnerable to a denial-of-service attack in which an unauthenticated malicious attacker can send specially-crafted YAML files to certain endpoints, causing the YAML parser to consume excessive CPU and RAM.

Affected VMware Products and Versions

Severity is high unless otherwise noted.

  • VMware Tanzu Application Service for VMs
    • All versions prior to 2.7.29
    • All 2.8.x versions
    • 2.9.x versions prior to 2.9.17
    • 2.10.x versions prior to 2.10.9

Mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

  • VMware Tanzu Application Service for VMs
    • 2.7.29
    • 2.9.17
    • 2.10.9

References

History

2020-12-01: Initial vulnerability report published.