Information disclosure in VMware Tanzu Application Service for VMs



Published: 2020-11-17
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-5417
CWE-ID CWE-732
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		VMware Tanzu Application Service for VMs
Server applications / Other server solutions

Vendor VMware, Inc

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Incorrect permission assignment for critical resource

EUVDB-ID: #VU46181

Risk: Medium

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-5417

CWE-ID: CWE-732 - Incorrect Permission Assignment for Critical Resource

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the sysem.

The vulnerability exists when the affected software is used in a deployment where an app domain is also the system domain. A remote authenticated attacker can claim certain sensitive routes, potentially resulting in the developer’s app handling some requests that were expected to go to certain system components. 

Mitigation

Install updates from vendor's website.

Vulnerable software versions

VMware Tanzu Application Service for VMs: 2.3.3 - 2.10.7

External links

http://tanzu.vmware.com/security/cve-2020-5417


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###