Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cvelistPivotalCVELIST:CVE-2020-5414
HistoryJul 30, 2020 - 12:00 a.m.

CVE-2020-5414 App Autoscaler logs credentials

2020-07-3000:00:00
CWE-200
pivotal
www.cve.org

5.7 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:H

5.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

35.0%

JSON

VMware Tanzu Application Service for VMs (2.7.x versions prior to 2.7.19, 2.8.x versions prior to 2.8.13, and 2.9.x versions prior to 2.9.7) contains an App Autoscaler that logs the UAA admin password. This credential is redacted on VMware Tanzu Operations Manager; however, the unredacted logs are available to authenticated users of the BOSH Director. This credential would grant administrative privileges to a malicious user. The same versions of App Autoscaler also log the App Autoscaler Broker password. Prior to newer versions of Operations Manager, this credential was not redacted from logs. This credential allows a malicious user to create, delete, and modify App Autoscaler services instances. Operations Manager started redacting this credential from logs as of its versions 2.7.15, 2.8.6, and 2.9.1. Note that these logs are typically only visible to foundation administrators and operators.

CNA Affected

[
  {
    "product": "PCF Autoscaling",
    "vendor": "VMware Tanzu",
    "versions": [
      {
        "lessThan": "v232",
        "status": "affected",
        "version": "All",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Operations Manager",
    "vendor": "VMware Tanzu",
    "versions": [
      {
        "lessThan": "2.7.15",
        "status": "affected",
        "version": "2.7",
        "versionType": "custom"
      },
      {
        "lessThan": "2.8.6",
        "status": "affected",
        "version": "2.8",
        "versionType": "custom"
      },
      {
        "lessThan": "2.9.1",
        "status": "affected",
        "version": "2.9",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "VMware Tanzu Application Service for VMs",
    "vendor": "VMware Tanzu",
    "versions": [
      {
        "lessThan": "2.9.7",
        "status": "affected",
        "version": "2.9.x",
        "versionType": "custom"
      },
      {
        "lessThan": "2.7.19",
        "status": "affected",
        "version": "2.7.x",
        "versionType": "custom"
      },
      {
        "lessThan": "2.8.13",
        "status": "affected",
        "version": "2.8.x",
        "versionType": "custom"
      }
    ]
  }
]

Related

prion 1
cve 1
nvd 1
prion
prion
Design/Logic Flaw
2020-07-31 20:15:00
cve
cve
CVE-2020-5414
2020-07-31 20:15:13
nvd
nvd
CVE-2020-5414
2020-07-31 20:15:13

5.7 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:H

5.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

35.0%

JSON
Related for CVELIST:CVE-2020-5414
prion1cve1nvd1