CVE-2023-20891

VMware Tanzu Application Service for VMs and Isolation Segment information disclosure vulnerability

CVSS 6.5 MEDIUMEPSS 0.5%CWE-532

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 6.5EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

26 Jul 2023Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The VMware Tanzu Application Service for VMs and Isolation Segment contain an information disclosure vulnerability due to the logging of credentials in hex encoding in platform system audit logs. A malicious non-admin user who has access to the platform system audit logs can access hex encoded CF API admin credentials and can push new malicious versions of an application. In a default deployment non-admin users do not have access to the platform system audit logs.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected products

VMware · Isolation segment VMware · VMware Tanzu Application Service for VMs

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.vmware.com/security/advisories/VMSA-2023-0016.html