CVE-2020-5414

Name of the Vulnerable Software and Affected Versions VMware Tanzu Application Service for VMs versions prior to 2.7.19 VMware Tanzu Application Service for VMs versions prior to 2.8.13 VMware Tanzu Application Service for VMs versions prior to 2.9.7

Description The issue concerns the logging of sensitive credentials by the App Autoscaler in VMware Tanzu Application Service for VMs. Specifically, the UAA admin password and the App Autoscaler Broker password are logged. These credentials can be accessed by authenticated users of the BOSH Director and could grant administrative privileges or allow malicious users to create, delete, and modify App Autoscaler services instances. The logs are typically only visible to foundation administrators and operators.

Recommendations For versions prior to 2.7.19, update to version 2.7.19 or later to resolve the issue. For versions prior to 2.8.13, update to version 2.8.13 or later to resolve the issue. For versions prior to 2.9.7, update to version 2.9.7 or later to resolve the issue.