Support Content Notification - Support Portal

CVE-2020-5417: Cloud Controller may allow developers to claim sensitive routes

Product/Component

Notification Id

23946

Last Updated

16 November 2020

Initial Publication Date

16 November 2020

Status

CLOSED

Severity

HIGH

CVSS Base Score

WorkAround

Affected CVE

CVE-2020-5417

Severity

High

Vendor

VMware Tanzu

Description

VMware Tanzu Application Service for VMs, all version prior to 2.7.28, 2.8.x versions prior to 2.8.22, 2.9.x versions prior to 2.9.16, and 2.10.x versions prior to 2.10.8, consumed a version of CAPI (Cloud Controller) that, when used in a deployment where an app domain is also the system domain (which is not the default in Tanzu Application Service), was vulnerable to developers maliciously or accidentally claiming certain sensitive routes, potentially resulting in the developer's app handling some requests that were expected to go to certain system components.

Affected VMware Products and Versions

Severity is high unless otherwise noted.

VMware Tanzu Application Service for VMs
- All versions prior to 2.7.28
- 2.8.x versions prior to 2.8.22
- 2.9.x versions prior to 2.9.16
- 2.10.x versions prior to 2.10.8

Mitigation

VMware Tanzu Application Service for VMs
- 2.7.28
- 2.8.22
- 2.9.16
- 2.10.8

References

https://www.cloudfoundry.org/blog/cve-2020-5417

History

2020-11-16: Initial vulnerability report published.