CVE-2020-5414
App Autoscaler logs credentials
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
VMware Tanzu Application Service for VMs (2.7.x versions prior to 2.7.19, 2.8.x versions prior to 2.8.13, and 2.9.x versions prior to 2.9.7) contains an App Autoscaler that logs the UAA admin password. This credential is redacted on VMware Tanzu Operations Manager; however, the unredacted logs are available to authenticated users of the BOSH Director. This credential would grant administrative privileges to a malicious user. The same versions of App Autoscaler also log the App Autoscaler Broker password. Prior to newer versions of Operations Manager, this credential was not redacted from logs. This credential allows a malicious user to create, delete, and modify App Autoscaler services instances. Operations Manager started redacting this credential from logs as of its versions 2.7.15, 2.8.6, and 2.9.1. Note that these logs are typically only visible to foundation administrators and operators.
VMware Tanzu Application Service para Máquinas Virtuales (versiones 2.7.x anteriores a 2.7.19, versiones 2.8.x anteriores a 2.8.13 y versiones 2.9.x anteriores a 2.9.7), contiene un App Autoscaler que registra la contraseña de administrador de UAA. Esta credencial es eliminada en VMware Tanzu Operations Manager; sin embargo, los registros no eliminados están disponibles para usuarios autenticados del BOSH Director. Esta credencial otorgaría privilegios administrativos a un usuario malicioso. Las mismas versiones de App Autoscaler también registran la contraseña de App Autoscaler Broker. Antes de las versiones más recientes de Operations Manager, esta credencial no fue eliminada de los registros. Esta credencial permite a un usuario malicioso crear, eliminar y modificar instancias de servicios de App Autoscaler. Operations Manager comenzó a eliminar esta credencial de los registros a partir de sus versiones 2.7.15, 2.8.6 y 2.9.1. Tome en cuenta que estos registros normalmente solo son visibles para los administradores y operadores de la fundación
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-01-03 CVE Reserved
- 2020-07-31 CVE Published
- 2023-03-08 EPSS Updated
- 2024-09-17 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-532: Insertion of Sensitive Information into Log File
CAPEC
References (1)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://tanzu.vmware.com/security/cve-2020-5414 | 2020-08-04 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Vmware Search vendor "Vmware" | Tanzu Application Service For Virtual Machines Search vendor "Vmware" for product "Tanzu Application Service For Virtual Machines" | >= 2.7.0 < 2.7.19 Search vendor "Vmware" for product "Tanzu Application Service For Virtual Machines" and version " >= 2.7.0 < 2.7.19" | - |
Affected
| ||||||
Vmware Search vendor "Vmware" | Tanzu Application Service For Virtual Machines Search vendor "Vmware" for product "Tanzu Application Service For Virtual Machines" | >= 2.8.0 < 2.8.13 Search vendor "Vmware" for product "Tanzu Application Service For Virtual Machines" and version " >= 2.8.0 < 2.8.13" | - |
Affected
| ||||||
Vmware Search vendor "Vmware" | Tanzu Application Service For Virtual Machines Search vendor "Vmware" for product "Tanzu Application Service For Virtual Machines" | >= 2.9.0 < 2.9.7 Search vendor "Vmware" for product "Tanzu Application Service For Virtual Machines" and version " >= 2.9.0 < 2.9.7" | - |
Affected
| ||||||
Vmware Search vendor "Vmware" | Operations Manager Search vendor "Vmware" for product "Operations Manager" | >= 2.7.0 < 2.7.15 Search vendor "Vmware" for product "Operations Manager" and version " >= 2.7.0 < 2.7.15" | - |
Affected
| ||||||
Vmware Search vendor "Vmware" | Operations Manager Search vendor "Vmware" for product "Operations Manager" | >= 2.8.0 < 2.8.6 Search vendor "Vmware" for product "Operations Manager" and version " >= 2.8.0 < 2.8.6" | - |
Affected
| ||||||
Vmware Search vendor "Vmware" | Operations Manager Search vendor "Vmware" for product "Operations Manager" | >= 2.9.0 < 2.9.1 Search vendor "Vmware" for product "Operations Manager" and version " >= 2.9.0 < 2.9.1" | - |
Affected
|