CVE-2023-20891
VMware Tanzu Application Service for VMs and Isolation Segment information disclosure vulnerability
Severity Score
6.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The VMware Tanzu Application Service for VMs and Isolation Segment contain an information disclosure vulnerability due to the logging of credentials in hex encoding in platform system audit logs. A malicious non-admin user who has access to the platform system audit logs can access hex encoded CF API admin credentials and can push new malicious versions of an application. In a default deployment non-admin users do not have access to the platform system audit logs.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-11-01 CVE Reserved
- 2023-07-26 CVE Published
- 2024-08-01 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-532: Insertion of Sensitive Information into Log File
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.vmware.com/security/advisories/VMSA-2023-0016.html | 2023-08-03 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Vmware Search vendor "Vmware" | Isolation Segment Search vendor "Vmware" for product "Isolation Segment" | >= 2.11.0 < 2.11.35 Search vendor "Vmware" for product "Isolation Segment" and version " >= 2.11.0 < 2.11.35" | - |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Isolation Segment Search vendor "Vmware" for product "Isolation Segment" | >= 2.13.0 < 2.13.20 Search vendor "Vmware" for product "Isolation Segment" and version " >= 2.13.0 < 2.13.20" | - |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Isolation Segment Search vendor "Vmware" for product "Isolation Segment" | >= 3.0.0 < 3.0.13 Search vendor "Vmware" for product "Isolation Segment" and version " >= 3.0.0 < 3.0.13" | - |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Isolation Segment Search vendor "Vmware" for product "Isolation Segment" | >= 4.0.0 < 4.0.4 Search vendor "Vmware" for product "Isolation Segment" and version " >= 4.0.0 < 4.0.4" | - |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Tanzu Application Service For Virtual Machines Search vendor "Vmware" for product "Tanzu Application Service For Virtual Machines" | >= 2.11.0 < 2.11.42 Search vendor "Vmware" for product "Tanzu Application Service For Virtual Machines" and version " >= 2.11.0 < 2.11.42" | - |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Tanzu Application Service For Virtual Machines Search vendor "Vmware" for product "Tanzu Application Service For Virtual Machines" | >= 2.13.0 < 2.13.24 Search vendor "Vmware" for product "Tanzu Application Service For Virtual Machines" and version " >= 2.13.0 < 2.13.24" | - |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Tanzu Application Service For Virtual Machines Search vendor "Vmware" for product "Tanzu Application Service For Virtual Machines" | >= 3.0.0 < 3.0.14 Search vendor "Vmware" for product "Tanzu Application Service For Virtual Machines" and version " >= 3.0.0 < 3.0.14" | - |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Tanzu Application Service For Virtual Machines Search vendor "Vmware" for product "Tanzu Application Service For Virtual Machines" | >= 4.0.0 < 4.0.5 Search vendor "Vmware" for product "Tanzu Application Service For Virtual Machines" and version " >= 4.0.0 < 4.0.5" | - |
Affected
| ||||||