PT-2020-18455 · Cloud Foundry+1 · Credhub+1
Rob Greene
·
Published
2020-02-12
·
Updated
2020-02-27
·
CVE-2020-5399
CVSS v3.1
7.6
High
| Vector | AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Cloud Foundry CredHub versions prior to 2.5.10
Description
The issue allows a malicious user with access to the network between CredHub and its MySQL database to eavesdrop on database connections, potentially gaining unauthorized access to CredHub and other components. This is due to CredHub connecting to the MySQL database without TLS even when configured to use it.
Recommendations
For versions prior to 2.5.10, update to version 2.5.10 or later to resolve the issue. As a temporary workaround, consider restricting network access to the MySQL database to minimize the risk of exploitation.
Fix
Cleartext Transmission of Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Credhub
Mysql Server