Information disclosure

2023-07-2606:15:00

PRIOn knowledge base

www.prio-n.com

vmware tanzuinforamtion disclosure vulnerability

hex encoding

system audit logs

non-admin user

malicious application.

6.2 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.3%

JSON

The VMware Tanzu Application Service for VMs and Isolation Segment contain an information disclosure vulnerability due to the logging of credentials in hex encoding in platform system audit logs. A malicious non-admin user who has access to the platform system audit logs can access hex encoded CF API admin credentials and can push new malicious versions of an application. In a default deployment non-admin users do not have access to the platform system audit logs.

CPENameOperatorVersion
isolation_segmentge2.11.0
isolation_segmentlt2.11.35
isolation_segmentge2.13.0
isolation_segmentlt2.13.20
isolation_segmentge3.0.0
isolation_segmentlt3.0.13
isolation_segmentge4.0.0
isolation_segmentlt4.0.4
tanzu_application_service_for_virtual_machinesge2.11.0
tanzu_application_service_for_virtual_machineslt2.11.42

Name	Operator	Version
isolation_segment	ge	2.11.0
isolation_segment	lt	2.11.35
isolation_segment	ge	2.13.0
isolation_segment	lt	2.13.20
isolation_segment	ge	3.0.0
isolation_segment	lt	3.0.13
isolation_segment	ge	4.0.0
isolation_segment	lt	4.0.4
tanzu_application_service_for_virtual_machines	ge	2.11.0
tanzu_application_service_for_virtual_machines	lt	2.11.42