Vulnerability Description
The VMware Tanzu Application Service for VMs and Isolation Segment contain an information disclosure vulnerability due to the logging of credentials in hex encoding in platform system audit logs. A malicious non-admin user who has access to the platform system audit logs can access hex encoded CF API admin credentials and can push new malicious versions of an application. In a default deployment non-admin users do not have access to the platform system audit logs.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vmware | Isolation Segment | >= 2.11.0, < 2.11.35 |
| Vmware | Tanzu Application Service For Virtual Machines | >= 2.11.0, < 2.11.42 |
Related Weaknesses (CWE)
References
- https://www.vmware.com/security/advisories/VMSA-2023-0016.htmlPatchVendor Advisory
- https://www.vmware.com/security/advisories/VMSA-2023-0016.htmlPatchVendor Advisory
FAQ
What is CVE-2023-20891?
CVE-2023-20891 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The VMware Tanzu Application Service for VMs and Isolation Segment contain an information disclosure vulnerability due to the logging of credentials in hex encoding in platform system audit logs. A ma...
How severe is CVE-2023-20891?
CVE-2023-20891 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-20891?
Check the references section above for vendor advisories and patch information. Affected products include: Vmware Isolation Segment, Vmware Tanzu Application Service For Virtual Machines.