cnvd - cnvd-2020-22966

CNVD-2020-22966

Vulnerability from cnvd - Published: 2020-04-15

Title

VMware Tanzu Application Service for VMs未授权访问漏洞

Description

VMware Tanzu Application Service for VMs是美国威睿（VMware）公司的一套应用程序开发和部署解决方案。 VMware Tanzu Application Service for VMs 2.6.18之前的2.6.x版本、2.7.11之前的2.7.x版本和2.8.5之前的2.8.x版本中存在安全漏洞。攻击者可利用该漏洞获取数据库未授权的访问权限。

Severity

中

Patch Name

VMware Tanzu Application Service for VMs未授权访问漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://tanzu.vmware.com/security/cve-2020-5406

Impacted products

Name
['VMware Tanzu Application Service for VMs 2.6.，<2.6.18', 'VMware Tanzu Application Service for VMs 2.7.，<2.7.11', 'VMware Tanzu Application Service for VMs 2.8.*，<2.8.5']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-5406"
    }
  },
  "description": "VMware Tanzu Application Service for VMs\u662f\u7f8e\u56fd\u5a01\u777f\uff08VMware\uff09\u516c\u53f8\u7684\u4e00\u5957\u5e94\u7528\u7a0b\u5e8f\u5f00\u53d1\u548c\u90e8\u7f72\u89e3\u51b3\u65b9\u6848\u3002\n\nVMware Tanzu Application Service for VMs 2.6.18\u4e4b\u524d\u76842.6.x\u7248\u672c\u30012.7.11\u4e4b\u524d\u76842.7.x\u7248\u672c\u548c2.8.5\u4e4b\u524d\u76842.8.x\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u6570\u636e\u5e93\u672a\u6388\u6743\u7684\u8bbf\u95ee\u6743\u9650\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://tanzu.vmware.com/security/cve-2020-5406",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-22966",
  "openTime": "2020-04-15",
  "patchDescription": "VMware Tanzu Application Service for VMs\u662f\u7f8e\u56fd\u5a01\u777f\uff08VMware\uff09\u516c\u53f8\u7684\u4e00\u5957\u5e94\u7528\u7a0b\u5e8f\u5f00\u53d1\u548c\u90e8\u7f72\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nVMware Tanzu Application Service for VMs 2.6.18\u4e4b\u524d\u76842.6.x\u7248\u672c\u30012.7.11\u4e4b\u524d\u76842.7.x\u7248\u672c\u548c2.8.5\u4e4b\u524d\u76842.8.x\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u6570\u636e\u5e93\u672a\u6388\u6743\u7684\u8bbf\u95ee\u6743\u9650\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "VMware Tanzu Application Service for VMs\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "VMware Tanzu Application Service for VMs 2.6.*\uff0c\u003c2.6.18",
      "VMware Tanzu Application Service for VMs 2.7.*\uff0c\u003c2.7.11",
      "VMware Tanzu Application Service for VMs 2.8.*\uff0c\u003c2.8.5"
    ]
  },
  "serverity": "\u4e2d",
  "submitTime": "2020-04-13",
  "title": "VMware Tanzu Application Service for VMs\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e"
}

CVE-2020-5406 (GCVE-0-2020-5406)

Vulnerability from cvelistv5 – Published: 2020-04-10 18:50 – Updated: 2024-09-17 03:17

Title

PCF Autoscaling logs its database credentials

Summary

VMware Tanzu Application Service for VMs, 2.6.x versions prior to 2.6.18, 2.7.x versions prior to 2.7.11, and 2.8.x versions prior to 2.8.5, includes a version of PCF Autoscaling that writes database connection properties to its log, including database username and password. A malicious user with access to those logs may gain unauthorized access to the database being used by Autoscaling.

Severity ?

No CVSS data available.

CWE

CWE-522 - Insufficiently Protected Credentials

Assigner

pivotal

References

URL

Tags

https://tanzu.vmware.com/security/cve-2020-5406

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Pivotal	VMware Tanzu Application Service for VMs	Affected: 2.8.x , < 2.8.5 (custom) Affected: 2.7.x , < 2.7.11 (custom) Affected: 2.6.x , < 2.6.18 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T08:30:23.971Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://tanzu.vmware.com/security/cve-2020-5406"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "VMware Tanzu Application Service for VMs",
          "vendor": "Pivotal",
          "versions": [
            {
              "lessThan": "2.8.5",
              "status": "affected",
              "version": "2.8.x",
              "versionType": "custom"
            },
            {
              "lessThan": "2.7.11",
              "status": "affected",
              "version": "2.7.x",
              "versionType": "custom"
            },
            {
              "lessThan": "2.6.18",
              "status": "affected",
              "version": "2.6.x",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2020-04-09T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "VMware Tanzu Application Service for VMs, 2.6.x versions prior to 2.6.18, 2.7.x versions prior to 2.7.11, and 2.8.x versions prior to 2.8.5, includes a version of PCF Autoscaling that writes database connection properties to its log, including database username and password. A malicious user with access to those logs may gain unauthorized access to the database being used by Autoscaling."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-522",
              "description": "CWE-522: Insufficiently Protected Credentials",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-04-10T18:50:12",
        "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
        "shortName": "pivotal"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://tanzu.vmware.com/security/cve-2020-5406"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "PCF Autoscaling logs its database credentials",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@pivotal.io",
          "DATE_PUBLIC": "2020-04-09T19:33:58.000Z",
          "ID": "CVE-2020-5406",
          "STATE": "PUBLIC",
          "TITLE": "PCF Autoscaling logs its database credentials"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "VMware Tanzu Application Service for VMs",
                      "version": {
                        "version_data": [
                          {
                            "affected": "\u003c",
                            "version_affected": "\u003c",
                            "version_name": "2.8.x",
                            "version_value": "2.8.5"
                          },
                          {
                            "affected": "\u003c",
                            "version_affected": "\u003c",
                            "version_name": "2.7.x",
                            "version_value": "2.7.11"
                          },
                          {
                            "affected": "\u003c",
                            "version_affected": "\u003c",
                            "version_name": "2.6.x",
                            "version_value": "2.6.18"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Pivotal"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "VMware Tanzu Application Service for VMs, 2.6.x versions prior to 2.6.18, 2.7.x versions prior to 2.7.11, and 2.8.x versions prior to 2.8.5, includes a version of PCF Autoscaling that writes database connection properties to its log, including database username and password. A malicious user with access to those logs may gain unauthorized access to the database being used by Autoscaling."
            }
          ]
        },
        "impact": null,
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-522: Insufficiently Protected Credentials"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://tanzu.vmware.com/security/cve-2020-5406",
              "refsource": "CONFIRM",
              "url": "https://tanzu.vmware.com/security/cve-2020-5406"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
    "assignerShortName": "pivotal",
    "cveId": "CVE-2020-5406",
    "datePublished": "2020-04-10T18:50:12.090459Z",
    "dateReserved": "2020-01-03T00:00:00",
    "dateUpdated": "2024-09-17T03:17:26.159Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-22966

CVE-2020-5406 (GCVE-0-2020-5406)

Tags

Sightings

Nomenclature