Executive Summary

Informations
Name CVE-2020-5414 First vendor Publication 2020-07-31
Vendor Cve Last vendor Modification 2020-08-04

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:H
Overall CVSS Score 5.7
Base Score 5.7 Environmental Score 5.7
impact SubScore 4.7 Temporal Score 5.7
Exploitabality Sub Score 0.9
 
Attack Vector Network Attack Complexity Low
Privileges Required High User Interaction Required
Scope Unchanged Confidentiality Impact Low
Integrity Impact Low Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:S/C:P/I:P/A:P)
Cvss Base Score 6 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Medium
Cvss Expoit Score 6.8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

VMware Tanzu Application Service for VMs (2.7.x versions prior to 2.7.19, 2.8.x versions prior to 2.8.13, and 2.9.x versions prior to 2.9.7) contains an App Autoscaler that logs the UAA admin password. This credential is redacted on VMware Tanzu Operations Manager; however, the unredacted logs are available to authenticated users of the BOSH Director. This credential would grant administrative privileges to a malicious user. The same versions of App Autoscaler also log the App Autoscaler Broker password. Prior to newer versions of Operations Manager, this credential was not redacted from logs. This credential allows a malicious user to create, delete, and modify App Autoscaler services instances. Operations Manager started redacting this credential from logs as of its versions 2.7.15, 2.8.6, and 2.9.1. Note that these logs are typically only visible to foundation administrators and operators.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5414

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-532 Information Leak Through Log Files

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1
Application 1

Sources (Detail)

Source Url
CONFIRM https://tanzu.vmware.com/security/cve-2020-5414

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2020-08-05 00:23:03
  • Multiple Updates
2020-08-01 05:22:58
  • First insertion