Filtered by vendor Vmware
Subscribe
Total
892 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-22056 | 2 Linux, Vmware | 4 Linux Kernel, Identity Manager, Vrealize Automation and 1 more | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
VMware Workspace ONE Access 21.08, 20.10.0.1, and 20.10 and Identity Manager 3.3.5, 3.3.4, and 3.3.3 contain an SSRF vulnerability. A malicious actor with network access may be able to make HTTP requests to arbitrary origins and read the full response. | |||||
CVE-2021-22012 | 1 Vmware | 2 Cloud Foundation, Vcenter Server | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
The vCenter Server contains an information disclosure vulnerability due to an unauthenticated appliance management API. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information. | |||||
CVE-2021-22038 | 1 Vmware | 1 Installbuilder | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
On Windows, the uninstaller binary copies itself to a fixed temporary location, which is then executed (the originally called uninstaller exits, so it does not block the installation directory). This temporary location is not randomized and does not restrict access to Administrators only so a potential attacker could plant a binary to replace the copied binary right before it gets called, thus gaining Administrator privileges (if the original uninstaller was executed as Administrator). The vulnerability only affects Windows installers. | |||||
CVE-2021-22047 | 1 Vmware | 1 Spring Data Rest | 2024-02-28 | 4.3 MEDIUM | 5.3 MEDIUM |
In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for unauthorized access depending on the Spring Security configuration. | |||||
CVE-2022-22939 | 1 Vmware | 1 Cloud Foundation | 2024-02-28 | 4.0 MEDIUM | 4.9 MEDIUM |
VMware Cloud Foundation contains an information disclosure vulnerability due to logging of credentials in plain-text within multiple log files on the SDDC Manager. A malicious actor with root access on VMware Cloud Foundation SDDC Manager may be able to view credentials in plaintext within one or more log files. | |||||
CVE-2021-22019 | 1 Vmware | 2 Cloud Foundation, Vcenter Server | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
The vCenter Server contains a denial-of-service vulnerability in VAPI (vCenter API) service. A malicious actor with network access to port 5480 on vCenter Server may exploit this issue by sending a specially crafted jsonrpc message to create a denial of service condition. | |||||
CVE-2021-22017 | 1 Vmware | 1 Vcenter Server | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
Rhttproxy as used in vCenter Server contains a vulnerability due to improper implementation of URI normalization. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to bypass proxy leading to internal endpoints being accessed. | |||||
CVE-2021-22020 | 1 Vmware | 2 Cloud Foundation, Vcenter Server | 2024-02-28 | 2.1 LOW | 5.5 MEDIUM |
The vCenter Server contains a denial-of-service vulnerability in the Analytics service. Successful exploitation of this issue may allow an attacker to create a denial-of-service condition on vCenter Server. | |||||
CVE-2021-22016 | 1 Vmware | 2 Cloud Foundation, Vcenter Server | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
The vCenter Server contains a reflected cross-site scripting vulnerability due to a lack of input sanitization. An attacker may exploit this issue to execute malicious scripts by tricking a victim into clicking a malicious link. | |||||
CVE-2021-22048 | 1 Vmware | 2 Cloud Foundation, Vcenter Server | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
The vCenter Server contains a privilege escalation vulnerability in the IWA (Integrated Windows Authentication) authentication mechanism. A malicious actor with non-administrative access to vCenter Server may exploit this issue to elevate privileges to a higher privileged group. | |||||
CVE-2020-3960 | 1 Vmware | 3 Fusion, Vsphere Esxi, Workstation | 2024-02-28 | 3.6 LOW | 8.4 HIGH |
VMware ESXi (6.7 before ESXi670-202006401-SG and 6.5 before ESXi650-202005401-SG), Workstation (15.x before 15.5.5), and Fusion (11.x before 11.5.5) contain an out-of-bounds read vulnerability in NVMe functionality. A malicious actor with local non-administrative access to a virtual machine with a virtual NVMe controller present may be able to read privileged information contained in physical memory. | |||||
CVE-2021-22007 | 1 Vmware | 2 Cloud Foundation, Vcenter Server | 2024-02-28 | 2.1 LOW | 5.5 MEDIUM |
The vCenter Server contains a local information disclosure vulnerability in the Analytics service. An authenticated user with non-administrative privilege may exploit this issue to gain access to sensitive information. | |||||
CVE-2021-21992 | 1 Vmware | 2 Cloud Foundation, Vcenter Server | 2024-02-28 | 6.8 MEDIUM | 6.5 MEDIUM |
The vCenter Server contains a denial-of-service vulnerability due to improper XML entity parsing. A malicious actor with non-administrative user access to the vCenter Server vSphere Client (HTML5) or vCenter Server vSphere Web Client (FLEX/Flash) may exploit this issue to create a denial-of-service condition on the vCenter Server host. | |||||
CVE-2021-22053 | 1 Vmware | 1 Spring Cloud Netflix | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
Applications using both `spring-cloud-netflix-hystrix-dashboard` and `spring-boot-starter-thymeleaf` expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at `/hystrix/monitor;[user-provided data]`, the path elements following `hystrix/monitor` are being evaluated as SpringEL expressions, which can lead to code execution. | |||||
CVE-2021-22097 | 1 Vmware | 1 Spring Advanced Message Queuing Protocol | 2024-02-28 | 6.8 MEDIUM | 6.5 MEDIUM |
In Spring AMQP versions 2.2.0 - 2.2.18 and 2.3.0 - 2.3.10, the Spring AMQP Message object, in its toString() method, will deserialize a body for a message with content type application/x-java-serialized-object. It is possible to construct a malicious java.util.Dictionary object that can cause 100% CPU usage in the application if the toString() method is called. | |||||
CVE-2021-22010 | 1 Vmware | 2 Cloud Foundation, Vcenter Server | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
The vCenter Server contains a denial-of-service vulnerability in VPXD service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to create a denial of service condition due to excessive memory consumption by VPXD service. | |||||
CVE-2021-22051 | 1 Vmware | 1 Spring Cloud Gateway | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
Applications using Spring Cloud Gateway are vulnerable to specifically crafted requests that could make an extra request on downstream services. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.5+, 2.2.x users should upgrade to 2.2.10.RELEASE or newer. | |||||
CVE-2021-22035 | 1 Vmware | 3 Cloud Foundation, Vrealize Log Insight, Vrealize Suite Lifecycle Manager | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
VMware vRealize Log Insight (8.x prior to 8.6) contains a CSV(Comma Separated Value) injection vulnerability in interactive analytics export function. An authenticated malicious actor with non-administrative privileges may be able to embed untrusted data prior to exporting a CSV sheet through Log Insight which could be executed in user's environment. | |||||
CVE-2021-22015 | 1 Vmware | 2 Cloud Foundation, Vcenter Server | 2024-02-28 | 7.2 HIGH | 7.8 HIGH |
The vCenter Server contains multiple local privilege escalation vulnerabilities due to improper permissions of files and directories. An authenticated local user with non-administrative privilege may exploit these issues to elevate their privileges to root on vCenter Server Appliance. | |||||
CVE-2021-22057 | 2 Linux, Vmware | 2 Linux Kernel, Workspace One Access | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
VMware Workspace ONE Access 21.08, 20.10.0.1, and 20.10 contain an authentication bypass vulnerability. A malicious actor, who has successfully provided first-factor authentication, may be able to obtain second-factor authentication provided by VMware Verify. |