CVE-2023-20891
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
The VMware Tanzu Application Service for VMs and Isolation Segment contain an information disclosure vulnerability due to the logging of credentials in hex encoding in platform system audit logs. A malicious non-admin user who has access to the platform system audit logs can access hex encoded CF API admin credentials and can push new malicious versions of an application. In a default deployment non-admin users do not have access to the platform system audit logs.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| VMware | VMware Tanzu Application Service for VMs | 4.0.x < 4.0.5 | affected |
| VMware | VMware Tanzu Application Service for VMs | 3.0.x < 3.0.14 | affected |
| VMware | VMware Tanzu Application Service for VMs | 2.13.x < 2.13.24 | affected |
| VMware | VMware Tanzu Application Service for VMs | 2.11.x < 2.11.42 | affected |
| VMware | Isolation segment | 4.0.x < 4.0.4 | affected |
| VMware | Isolation segment | 3.0.x < 3.0.13 | affected |
| VMware | Isolation segment | 2.13.x < 2.13.20 | affected |
| VMware | Isolation segment | 2.11.x < 2.11.35 | affected |
Weaknesses
- CWE-532: CWE-532: Insertion of Sensitive Information into Log File
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.