CVE-2020-5406: PCF Autoscaling logs its database credentials
Severity
High
Vendor
Pivotal
Description
VMware Tanzu Application Service for VMs, 2.6.x versions prior to 2.6.18, 2.7.x versions prior to 2.7.11, and 2.8.x versions prior to 2.8.5, includes a version of PCF Autoscaling that writes database connection properties to its log, including database username and password. A malicious user with access to those logs may gain unauthorized access to the database being used by Autoscaling.
Affected VMware Products and Versions
Severity is high unless otherwise noted.
-
VMware Tanzu Application Service for VMs
- 2.6.x versions prior to 2.6.18
- 2.7.x versions prior to 2.7.11
- 2.8.x versions prior to 2.8.5
Mitigation
Users of affected versions should apply the following mitigation or upgrade:
-
VMware Tanzu Application Service for VMs
- 2.6.18
- 2.7.11
- 2.8.5
References
History
2020-04-09: Initial vulnerability report published.