// For flags

CVE-2020-5406

PCF Autoscaling logs its database credentials

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

VMware Tanzu Application Service for VMs, 2.6.x versions prior to 2.6.18, 2.7.x versions prior to 2.7.11, and 2.8.x versions prior to 2.8.5, includes a version of PCF Autoscaling that writes database connection properties to its log, including database username and password. A malicious user with access to those logs may gain unauthorized access to the database being used by Autoscaling.

VMware Tanzu Application Service para Máquinas Virtuales, versiones 2.6.x anteriores a 2.6.18, versiones 2.7.x anteriores a 2.7.11 y versiones 2.8.x anteriores a 2.8.5, incluye una versión de PCF Autoscaling que escribe las propiedades de conexión de la base de datos en su registro, incluyendo el nombre de usuario y la contraseña de la base de datos. Un usuario malicioso con acceso a esos registros puede conseguir acceso no autorizado a la base de datos que está siendo usada por Autoscaling.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-01-03 CVE Reserved
  • 2020-04-10 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-09-17 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-522: Insufficiently Protected Credentials
CAPEC
References (1)
URL Tag Source
URL Date SRC
URL Date SRC
URL Date SRC
https://tanzu.vmware.com/security/cve-2020-5406 2020-04-13
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Vmware
Search vendor "Vmware"
 Tanzu Application Service For Vms
Search vendor "Vmware" for product "Tanzu Application Service For Vms"
 >= 2.6.0 < 2.6.18
Search vendor "Vmware" for product "Tanzu Application Service For Vms" and version " >= 2.6.0 < 2.6.18"
-
Affected
Vmware
Search vendor "Vmware"
 Tanzu Application Service For Vms
Search vendor "Vmware" for product "Tanzu Application Service For Vms"
 >= 2.7.0 < 2.7.11
Search vendor "Vmware" for product "Tanzu Application Service For Vms" and version " >= 2.7.0 < 2.7.11"
-
Affected
Vmware
Search vendor "Vmware"
 Tanzu Application Service For Vms
Search vendor "Vmware" for product "Tanzu Application Service For Vms"
 >= 2.8.0 < 2.8.5
Search vendor "Vmware" for product "Tanzu Application Service For Vms" and version " >= 2.8.0 < 2.8.5"
-
Affected