CVE-2020-5417: Cloud Controller may allow developers to claim sensitive routes
Severity
High
Vendor
VMware Tanzu
Description
VMware Tanzu Application Service for VMs, all version prior to 2.7.28, 2.8.x versions prior to 2.8.22, 2.9.x versions prior to 2.9.16, and 2.10.x versions prior to 2.10.8, consumed a version of CAPI (Cloud Controller) that, when used in a deployment where an app domain is also the system domain (which is not the default in Tanzu Application Service), was vulnerable to developers maliciously or accidentally claiming certain sensitive routes, potentially resulting in the developer's app handling some requests that were expected to go to certain system components.
Affected VMware Products and Versions
Severity is high unless otherwise noted.
-
VMware Tanzu Application Service for VMs
- All versions prior to 2.7.28
- 2.8.x versions prior to 2.8.22
- 2.9.x versions prior to 2.9.16
- 2.10.x versions prior to 2.10.8
Mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
-
VMware Tanzu Application Service for VMs
- 2.7.28
- 2.8.22
- 2.9.16
- 2.10.8
References
History
2020-11-16: Initial vulnerability report published.