All Vulnerability Reports

CVE-2020-5400: Cloud Controller logs environment variables from app manifests






VMware Tanzu Application Service for VMs, 2.6.x versions prior to 2.6.16, 2.7.x versions prior to 2.7.10, and 2.8.x versions prior to 2.8.4, contain a vulnerable version of Cloud Controller (CAPI), which logs properties of background jobs when they are run, which may include sensitive information such as credentials if provided to the job. A malicious user with access to those logs may gain unauthorized access to resources protected by such credentials.

Affected VMware Products and Versions

Severity is high unless otherwise noted.

  • VMware Tanzu Application Service for VMs
    • 2.6.x versions prior to 2.6.16
    • 2.7.x versions prior to 2.7.10
    • 2.8.x versions prior to 2.8.4


Relevant log lines include the text "about to run job". Operators should inform developers to rotate any credentials that are found there. Examples include service credentials provided to service broker jobs and environment variables provided to apps deployed using server-side manifests (such as by cf v3-apply-manifest or cf7 push). Users of affected versions should apply the following mitigation or upgrade:

  • VMware Tanzu Application Service for VMs
    • 2.6.16
    • 2.7.10
    • 2.8.4


Miki Mokrysz of the GOV.UK PaaS team



2020-04-06: Initial vulnerability report published.