CVE-2023-20891

MEDIUM Year: 2023
CVSS v3 Score
6.5
Medium
Weakness Type
CWE-532
View all →

Vulnerability Description

The VMware Tanzu Application Service for VMs and Isolation Segment contain an information disclosure vulnerability due to the logging of credentials in hex encoding in platform system audit logs. A malicious non-admin user who has access to the platform system audit logs can access hex encoded CF API admin credentials and can push new malicious versions of an application. In a default deployment non-admin users do not have access to the platform system audit logs.

Related Vulnerabilities

CVE-2016-10362

MEDIUM
CVSS:6.5(Medium)

Prior to Logstash version 5.0.1, Elasticsearch Output plugin when updating connections after sniffing, would log to file HTTP basic auth credentials.

CWE-5322016

CVE-2016-10819

MEDIUM
CVSS:6.5(Medium)

In cPanel before 57.9999.54, user log files become world-readable when rotated by cpanellogd (SEC-125).

CWE-5322016

CVE-2017-11134

MEDIUM
CVSS:6.5(Medium)

An issue was discovered in heinekingmedia StashCat through 1.7.5 for Android. The login credentials are written into a log file on the device. Hence, an attacker with access to the logs can read them.

CWE-5322017

CVE-2017-3744

MEDIUM
CVSS:6.5(Medium)

In the IMM2 firmware of Lenovo System x servers, remote commands issued by LXCA or other utilities may be captured in the First Failure Data Capture (FFDC) service log if the service log is generated ...

CWE-5322017

CVE-2018-0504

MEDIUM
CVSS:6.5(Medium)

Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains an information disclosure flaw in the Special:Redirect/logid

CWE-5322018

CVE-2018-19014

MEDIUM
CVSS:6.5(Medium)

Drager Infinity Delta, Infinity Delta, all versions, Delta XL, all versions, Kappa, all version, and Infinity Explorer C700, all versions. Log files are accessible over an unauthenticated network conn...

CWE-5322018