CVE-2020-5406

Summary

VMware Tanzu Application Service for VMs, 2.6.x versions prior to 2.6.18, 2.7.x versions prior to 2.7.11, and 2.8.x versions prior to 2.8.5, includes a version of PCF Autoscaling that writes database connection properties to its log, including database username and password. A malicious user with access to those logs may gain unauthorized access to the database being used by Autoscaling.

Affected Software

VendorProductVersion RangeStatus
PivotalVMware Tanzu Application Service for VMs2.8.x < 2.8.5affected
PivotalVMware Tanzu Application Service for VMs2.7.x < 2.7.11affected
PivotalVMware Tanzu Application Service for VMs2.6.x < 2.6.18affected

Weaknesses

  • CWE-522: CWE-522: Insufficiently Protected Credentials

ADP Enrichment

CVE Program Container

Additional References

References