Executive Summary
| Summary | |
|---|---|
| Title | - VMware AirWatch Console and Launcher for Android updates resolve multiple vulnerabilities. |
| Informations | |||
|---|---|---|---|
| Name | VMSA-2017-0016 | First vendor Publication | 2017-11-08 |
| Vendor | VMware | Last vendor Modification | 2017-11-08 |
| Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 6.8 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Medium |
| Cvss Expoit Score | 8.6 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| a. VMware AirWatch Console stored XSS vulnerability VMware AirWatch Console (AWC) contains a vulnerability that could allow an authenticated AWC user to add a malicious URL to an enrolled device’s ‘Links’ page. Successful exploitation of this issue could result in an unsuspecting AWC user being redirected to a malicious URL. VMware would like to thank Nicodemo Gawronski for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4930 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. b. VMware AirWatch Console CSV file integrity vulnerability VMware AirWatch Console (AWC) contains a vulnerability that could allow an authenticated AWC user to add malicious data to an enrolled device’s log files. Successful exploitation of this issue could result in an unsuspecting AWC user opening a CSV file which contains malicious content. VMware would like to thank Nicodemo Gawronski for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4931 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. c. VMware AirWatch Launcher for Android UI privilege escalation VMware AirWatch Launcher for Android contains a vulnerability that could allow an escalation of privilege from the launcher UI context menu to native UI functionality and privilege. Successful exploitation of this issue could result in an escalation of privilege. VMware would like to thank Igor Shmakov for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4932 to these issues. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. |
Original Source
| Url : http://www.vmware.com/security/advisories/VMSA-2017-0016.html |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 50 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
| 50 % | CWE-20 | Improper Input Validation |
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 2 | |
| Application | 1 |
Alert History
| Date | Informations |
|---|---|
| 2017-12-04 17:23:34 |
|
| 2017-11-17 05:22:44 |
|
| 2017-11-09 05:23:23 |
|
