cloudfoundry credhub CVE-2020-5399 in Cloudfoundry and Pivotal Software Products
Published on February 12, 2020

CredHub does not properly enable TLS for MySQL database connections

product logo product logo
Cloud Foundry CredHub, versions prior to 2.5.10, connects to a MySQL database without TLS even when configured to use TLS. A malicious user with access to the network between CredHub and its MySQL database may eavesdrop on database connections and thereby gain unauthorized access to CredHub and other components.

NVD

Weakness Type

Cleartext Transmission of Sensitive Information

The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. Many communication channels can be "sniffed" by attackers during data transmission. For example, network traffic can often be sniffed by any attacker who has access to a network interface. This significantly lowers the difficulty of exploitation by attackers.


Products Associated with CVE-2020-5399

stack.watch emails you whenever new vulnerabilities are published in Cloudfoundry Credhub or Pivotal Software Cloud Foundry Cf Deployment. Just hit a watch button to start following.

Cloudfoundry Credhub
 
Pivotal Software Cloud Foundry Cf Deployment
 

Affected Versions

Cloud Foundry CredHub:

Exploit Probability

EPSS
0.20%
Percentile
41.97%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.