CVE-2020-5426: Scheduler for TAS can transmit privileged UAA token in plaintext
Scheduler for TAS prior to version 1.4.0 was permitting plaintext transmission of UAA client token by sending it over a non-TLS connection. This also depended on the configuration of the MySQL server which is used to cache a UAA client token used by the service.
If intercepted the token can give an attacker admin level access in the cloud controller.
Severity is high unless otherwise noted.
- All versions prior to 1.4.0
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
2020-11-03: Initial vulnerability report published.