CVE-2020-5406

CVE-2020-5406: PCF Autoscaling logs its database credentials

Vendor Pivotal
Product VMware Tanzu Application Service for VMs
Weakness CWE-522 · Insufficiently protected credentials
Published April 10, 2020
Last update September 17, 2024

CVSS base score

What the vulnerability does

01Description

VMware Tanzu Application Service for VMs, 2.6.x versions prior to 2.6.18, 2.7.x versions prior to 2.7.11, and 2.8.x versions prior to 2.8.5, includes a version of PCF Autoscaling that writes database connection properties to its log, including database username and password. A malicious user with access to those logs may gain unauthorized access to the database being used by Autoscaling.

Key dates

02Disclosure timeline

April 10, 2020 CVE published
September 17, 2024 Record updated