CVE-2020-5400

Published: Feb 27, 2020Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

Cloud Foundry Cloud Controller (CAPI), versions prior to 1.91.0, logs properties of background jobs when they are run, which may include sensitive information such as credentials if provided to the job. A malicious user with access to those logs may gain unauthorized access to resources protected by such credentials.

Affected (2)

Products: Cloudfoundry: Capi Release, Cf Deployment

2 products

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Cloudfoundry Capi Release	Before 1.91.0
Cloudfoundry Cf Deployment	Before 12.33.0

Related CWEs

Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Insertion of Sensitive Information into Log File

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

References (2)

https://www.cloudfoundry.org/blog/cve-2020-5400

Source: security@pivotal.io

Vendor Advisory

https://www.cloudfoundry.org/blog/cve-2020-5400

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.