{"id":"CVE-2020-5399","details":"Cloud Foundry CredHub, versions prior to 2.5.10, connects to a MySQL database without TLS even when configured to use TLS. A malicious user with access to the network between CredHub and its MySQL database may eavesdrop on database connections and thereby gain unauthorized access to CredHub and other components.","modified":"2026-04-10T04:27:39.155382Z","published":"2020-02-12T21:15:14.007Z","references":[{"type":"ADVISORY","url":"https://www.cloudfoundry.org/blog/cve-2020-5399"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pivotal/credhub-release","events":[{"introduced":"0"},{"fixed":"30410f8635441d4346c59ba22c99fd1e16a9cf90"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.5.10"}]}}],"versions":["0.1.0","0.2.0","0.3.0","0.4.0","0.5.0","0.5.1","0.6.0","0.6.1","0.7.0","0.8.0","1.0.0","1.1.0","1.1.0-rc.1","1.1.1","1.1.2","1.2.0","1.3.0","1.3.6","1.3.7","1.4.0","1.5.0","1.6.0","1.6.1","1.6.10","1.6.4","1.6.5","1.6.6","1.6.7","1.6.8","1.6.9","1.7.0","1.7.1","1.7.4","1.7.5","1.7.6","1.7.7","1.7.8","1.7.9","1.8.0","1.8.1","1.8.2","1.8.3","1.9.10","1.9.11","1.9.12","1.9.2","1.9.3","1.9.4","1.9.5","1.9.6","1.9.7","1.9.8","1.9.9","2.0.0","2.0.0-rc.1","2.0.1","2.0.2","2.0.3","2.0.4","2.1.0","2.1.1","2.1.2","2.1.3","2.1.4","2.1.5","2.1.6","2.2.0","2.3.0","2.4.0","2.5.0","2.5.1","2.5.2","2.5.3","2.5.4","2.5.5","2.5.6","2.5.7","2.5.8","2.5.9","v1"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"12.29.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-5399.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}