Single Sign On For Vmware Tanzu
Approved changes feed: RSS · Atom
cpe:2.3:a:vmware_tanzu:single_sign-on_for_vmware_tanzu:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Vmware Tanzu (da821fa9-004a-54a3-94e4-fdafe5ab01aa) |
|---|---|
| Product | Single Sign On For Vmware Tanzu (e3024249-acfc-5d89-87fc-15c9e9db0899) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2020-5425 |
vulnerable | 2026-06-08 05:26:42.882788 |
User Impersonation possible in Tanzu SSO
HIGH (7.5)
Single Sign-On for Vmware Tanzu all versions prior to 1.11.3 ,1.12.x versions prior to 1.12.4 and 1.13.x prior to 1.13.1 are vulnerable to user impersonation attack.If two users are logged in to the SSO operator dashboard at the same time, with the same username, from two different identity providers, one can acquire the token of the other and thus operate with their permissions. Note: Foundation may be vulnerable only if: 1) The system zone is set up to use a SAML identity provider 2) There are internal users that have the same username as users in the external SAML provider 3) Those duplicate-named users have the scope to access the SSO operator dashboard 4) The vulnerability doesn't appear with LDAP because of chained authentication.
Published: 2020-10-31T21:45:14.942Z
Updated: 2024-09-17T01:41:44.803Z Reference links |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.