All Vulnerability Reports

CVE-2020-5399: CredHub does not properly enable TLS for MySQL database connections


Severity

High

Vendor

Pivotal

Description

Pivotal Application Service (2.5 versions prior to 2.5.20, 2.6 versions prior to 2.6.15, 2.7 versions prior to 2.7.9, and 2.8 versions prior to 2.8.3) contains a vulnerable version of CredHub that connects to a MySQL database without TLS even when configured to use TLS. A malicious user with access to the network between CredHub and its MySQL database may eavesdrop on database connections and thereby gain unauthorized access to CredHub and other components.

Affected Pivotal Products and Versions

Severity is high unless otherwise noted.

  • Pivotal Application Service (PAS)
    • 2.5 versions prior to 2.5.20
    • 2.6 versions prior to 2.6.15
    • 2.7 versions prior to 2.7.9
    • 2.8 versions prior to 2.8.3
Mitigation

Users of affected versions should apply the following mitigation or upgrade:

  • Pivotal Application Service (PAS)
    • 2.5.20
    • 2.6.15
    • 2.7.9
    • 2.8.3
Credit

Rob Greene

References
History

2020-02-12: Initial vulnerability report published.