CRITICAL🇵🇱 Wersja polska

CVE-2020-5426

CVSS 9.8v3.1pub. 2020-11-11upd. 2024-11-21

Scheduler for TAS prior to version 1.4.0 was permitting plaintext transmission of UAA client token by sending it over a non-TLS connection. This also depended on the configuration of the MySQL server which is used to cache a UAA client token used by the service. If intercepted the token can give an attacker admin level access in the cloud controller.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • VMware Pivotal Scheduler

    APP
    Vmware
    < 1.4.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-22224CRITICAL9.3⚠ KEVPL ✓ten sam vendor

VMware ESXi/Workstation: TOCTOU umożliwia ucieczkę z VM przez VMX process

CVE-2024-38812CRITICAL9.8⚠ KEVPL ✓ten sam vendor

VMware vCenter Server — heap-overflow w DCERPC umożliwia RCE

CVE-2024-37079CRITICAL9.8⚠ KEVPL ✓ten sam vendor

Heap overflow w VMware vCenter Server via protokół DCERPC — RCE

CVE-2023-34048CRITICAL9.8⚠ KEVten sam vendor

vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. A m...

CVE-2023-20887CRITICAL9.8⚠ KEVten sam vendor

Aria Operations for Networks contains a command injection vulnerability. A malicious actor with network access...