CVE-2020-5399Cleartext Transmission of Sensitive Info in Foundry Credhub

CWE-319Cleartext Transmission of Sensitive Info3 documents3 sources
Severity
7.4HIGHNVD
EPSS
0.2%
top 57.90%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Cloud Foundry CredhubCloudfoundry CredhubPivotal Software Cloud Foundry Cf-deployment
Timeline
PublishedFeb 12
Latest updateMay 24

Description

Cloud Foundry CredHub, versions prior to 2.5.10, connects to a MySQL database without TLS even when configured to use TLS. A malicious user with access to the network between CredHub and its MySQL database may eavesdrop on database connections and thereby gain unauthorized access to CredHub and other components.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages3 packages

NVDcloudfoundry/credhub< 2.5.10
CVEListV5cloud_foundry/credhubEdge2.5.10

🔴Vulnerability Details

2
GHSA
GHSA-w39h-6cmp-6crw: Cloud Foundry CredHub, versions prior to 22022-05-24
CVEList
CredHub does not properly enable TLS for MySQL database connections2020-02-12
CVE-2020-5399 — Cloud Foundry Credhub vulnerability | cvebase