CVE-2023-20891

Published Jul 26, 2023

Last updated a year ago

CVSS medium 6.5

Overview

Description: The VMware Tanzu Application Service for VMs and Isolation Segment contain an information disclosure vulnerability due to the logging of credentials in hex encoding in platform system audit logs. A malicious non-admin user who has access to the platform system audit logs can access hex encoded CF API admin credentials and can push new malicious versions of an application. In a default deployment non-admin users do not have access to the platform system audit logs.
Source: security@vmware.com
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 6.5
Impact score: 3.6
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Severity: MEDIUM

Weaknesses

nvd@nist.gov: CWE-532
security@vmware.com: CWE-532

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:vmware:isolation_segment:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8554D488-AB21-4A0B-AA10-CA81836B9335",
            "versionEndExcluding": "2.11.35",
            "versionStartIncluding": "2.11.0"
          },
          {
            "criteria": "cpe:2.3:a:vmware:isolation_segment:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "15933381-A637-47B0-920C-08ADC5C5B13F",
            "versionEndExcluding": "2.13.20",
            "versionStartIncluding": "2.13.0"
          },
          {
            "criteria": "cpe:2.3:a:vmware:isolation_segment:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "13991ED6-82C2-40EE-A2BF-31442DA6CCBE",
            "versionEndExcluding": "3.0.13",
            "versionStartIncluding": "3.0.0"
          },
          {
            "criteria": "cpe:2.3:a:vmware:isolation_segment:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "BA407428-AA0E-4BBB-B324-FB03CE68264F",
            "versionEndExcluding": "4.0.4",
            "versionStartIncluding": "4.0.0"
          },
          {
            "criteria": "cpe:2.3:a:vmware:tanzu_application_service_for_virtual_machines:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D10A0D3F-4BEB-4374-851D-C51953921586",
            "versionEndExcluding": "2.11.42",
            "versionStartIncluding": "2.11.0"
          },
          {
            "criteria": "cpe:2.3:a:vmware:tanzu_application_service_for_virtual_machines:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "25CF5CBB-6CAE-4A7E-A782-6D9C7C8007CF",
            "versionEndExcluding": "2.13.24",
            "versionStartIncluding": "2.13.0"
          },
          {
            "criteria": "cpe:2.3:a:vmware:tanzu_application_service_for_virtual_machines:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "39F5A99C-2011-434C-9557-E5359ADED750",
            "versionEndExcluding": "3.0.14",
            "versionStartIncluding": "3.0.0"
          },
          {
            "criteria": "cpe:2.3:a:vmware:tanzu_application_service_for_virtual_machines:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "82350216-D6EB-42C5-B44D-1227A58E760A",
            "versionEndExcluding": "4.0.5",
            "versionStartIncluding": "4.0.0"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

References