CVE-2023-20891
The VMware Tanzu Application Service for VMs and Isolation Segment contain an information disclosure vulnerability due to the logging of credentials in hex encoding in platform system audit logs. A malicious non-admin user who has access to the platform system audit logs can access hex encoded CF API admin credentials and can push new malicious versions of an application. In a default deployment non-admin users do not have access to the platform system audit logs.
| Software | From | Fixed in |
|---|---|---|
| vmware / isolation_segment | 2.11.0 | 2.11.35 |
| vmware / isolation_segment | 2.13.0 | 2.13.20 |
| vmware / isolation_segment | 3.0.0 | 3.0.13 |
| vmware / isolation_segment | 4.0.0 | 4.0.4 |
| vmware / tanzu_application_service_for_virtual_machines | 2.11.0 | 2.11.42 |
| vmware / tanzu_application_service_for_virtual_machines | 3.0.0 | 3.0.14 |
| vmware / tanzu_application_service_for_virtual_machines | 2.13.0 | 2.13.24 |
| vmware / tanzu_application_service_for_virtual_machines | 4.0.0 | 4.0.5 |
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime