All Vulnerability Reports

CVE-2020-5406: PCF Autoscaling logs its database credentials


Severity

High

Vendor

Pivotal

Description

VMware Tanzu Application Service for VMs, 2.6.x versions prior to 2.6.18, 2.7.x versions prior to 2.7.11, and 2.8.x versions prior to 2.8.5, includes a version of PCF Autoscaling that writes database connection properties to its log, including database username and password. A malicious user with access to those logs may gain unauthorized access to the database being used by Autoscaling.

Affected VMware Products and Versions

Severity is high unless otherwise noted.

  • VMware Tanzu Application Service for VMs
    • 2.6.x versions prior to 2.6.18
    • 2.7.x versions prior to 2.7.11
    • 2.8.x versions prior to 2.8.5

Mitigation

Users of affected versions should apply the following mitigation or upgrade:

  • VMware Tanzu Application Service for VMs
    • 2.6.18
    • 2.7.11
    • 2.8.5

References

History

2020-04-09: Initial vulnerability report published.