CVE-2023-20891

The VMware Tanzu Application Service for VMs and Isolation Segment contain an information disclosure vulnerability due to the logging of credentials in hex encoding in platform system audit logs. A malicious non-admin user who has access to the platform system audit logs can access hex encoded CF API admin credentials and can push new malicious versions of an application. In a default deployment non-admin users do not have access to the platform system audit logs.
References
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:vmware:isolation_segment:*:*:*:*:*:*:*:*
cpe:2.3:a:vmware:isolation_segment:*:*:*:*:*:*:*:*
cpe:2.3:a:vmware:isolation_segment:*:*:*:*:*:*:*:*
cpe:2.3:a:vmware:isolation_segment:*:*:*:*:*:*:*:*
cpe:2.3:a:vmware:tanzu_application_service_for_virtual_machines:*:*:*:*:*:*:*:*
cpe:2.3:a:vmware:tanzu_application_service_for_virtual_machines:*:*:*:*:*:*:*:*
cpe:2.3:a:vmware:tanzu_application_service_for_virtual_machines:*:*:*:*:*:*:*:*
cpe:2.3:a:vmware:tanzu_application_service_for_virtual_machines:*:*:*:*:*:*:*:*

History

03 Aug 2023, 15:03

Type Values Removed Values Added
CPE cpe:2.3:a:vmware:isolation_segment:*:*:*:*:*:*:*:*
cpe:2.3:a:vmware:tanzu_application_service_for_virtual_machines:*:*:*:*:*:*:*:*
References (MISC) https://www.vmware.com/security/advisories/VMSA-2023-0016.html - (MISC) https://www.vmware.com/security/advisories/VMSA-2023-0016.html - Patch, Vendor Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.5
CWE CWE-532
First Time Vmware isolation Segment
Vmware tanzu Application Service For Virtual Machines
Vmware

26 Jul 2023, 06:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-07-26 06:15

Updated : 2024-02-28 20:33


NVD link : CVE-2023-20891

Mitre link : CVE-2023-20891

CVE.ORG link : CVE-2023-20891


JSON object : View

Products Affected

vmware

  • tanzu_application_service_for_virtual_machines
  • isolation_segment
CWE
CWE-532

Insertion of Sensitive Information into Log File