All Vulnerability Reports

CVE-2020-5417: Cloud Controller may allow developers to claim sensitive routes




VMware Tanzu


VMware Tanzu Application Service for VMs, all version prior to 2.7.28, 2.8.x versions prior to 2.8.22, 2.9.x versions prior to 2.9.16, and 2.10.x versions prior to 2.10.8, consumed a version of CAPI (Cloud Controller) that, when used in a deployment where an app domain is also the system domain (which is not the default in Tanzu Application Service), was vulnerable to developers maliciously or accidentally claiming certain sensitive routes, potentially resulting in the developer's app handling some requests that were expected to go to certain system components.

Affected VMware Products and Versions

Severity is high unless otherwise noted.

  • VMware Tanzu Application Service for VMs
    • All versions prior to 2.7.28
    • 2.8.x versions prior to 2.8.22
    • 2.9.x versions prior to 2.9.16
    • 2.10.x versions prior to 2.10.8


Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

  • VMware Tanzu Application Service for VMs
    • 2.7.28
    • 2.8.22
    • 2.9.16
    • 2.10.8



2020-11-16: Initial vulnerability report published.