This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Vmware First view 2016-04-15
Product Vcenter Server Last view 2023-06-22
Version 6.0 Type Application
Update update3d  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:vmware:vcenter_server

Activity : Overall

Related : CVE

  Date Alert Description
7.5 2023-06-22 CVE-2023-20896

The VMware vCenter Server contains an out-of-bounds read vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger an out-of-bounds read by sending a specially crafted packet leading to denial-of-service of certain services (vmcad, vmdird, and vmafdd).

9.8 2023-06-22 CVE-2023-20895

The VMware vCenter Server contains a memory corruption vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger a memory corruption vulnerability which may bypass authentication.

9.8 2023-06-22 CVE-2023-20894

The VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger an out-of-bound write by sending a specially crafted packet leading to memory corruption.

9.8 2023-06-22 CVE-2023-20893

The VMware vCenter Server contains a use-after-free vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may exploit this issue to execute arbitrary code on the underlying operating system that hosts vCenter Server.

9.8 2023-06-22 CVE-2023-20892

The vCenter Server contains a heap overflow vulnerability due to the usage of uninitialized memory in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may exploit heap-overflow vulnerability to execute arbitrary code on the underlying operating system that hosts vCenter Server.

9.1 2022-10-07 CVE-2022-31680

The vCenter Server contains an unsafe deserialisation vulnerability in the PSC (Platform services controller). A malicious actor with admin access on vCenter server may exploit this issue to execute arbitrary code on the underlying operating system that hosts the vCenter Server.

7.7 2019-09-18 CVE-2019-5534

VMware vCenter Server (6.7.x prior to 6.7 U3, 6.5 prior to 6.5 U3 and 6.0 prior to 6.0 U3j) contains an information disclosure vulnerability where Virtual Machines deployed from an OVF could expose login information via the virtual machine's vAppConfig properties. A malicious actor with access to query the vAppConfig properties of a virtual machine deployed from an OVF may be able to view the credentials used to deploy the OVF (typically the root account of the virtual machine).

7.7 2019-09-18 CVE-2019-5532

VMware vCenter Server (6.7.x prior to 6.7 U3, 6.5 prior to 6.5 U3 and 6.0 prior to 6.0 U3j) contains an information disclosure vulnerability due to the logging of credentials in plain-text for virtual machines deployed through OVF. A malicious user with access to the log files containing vCenter OVF-properties of a virtual machine deployed from an OVF may be able to view the credentials used to deploy the OVF (typically the root account of the virtual machine).

5.4 2019-09-18 CVE-2019-5531

VMware vSphere ESXi (6.7 prior to ESXi670-201810101-SG, 6.5 prior to ESXi650-201811102-SG, and 6.0 prior to ESXi600-201807103-SG) and VMware vCenter Server (6.7 prior to 6.7 U1b, 6.5 prior to 6.5 U2b, and 6.0 prior to 6.0 U3j) contain an information disclosure vulnerability in clients arising from insufficient session expiration. An attacker with physical access or an ability to mimic a websocket connection to a user’s browser may be able to obtain control of a VM Console after the user has logged out or their session has timed out.

7.5 2017-11-17 CVE-2017-4927

VMware vCenter Server (6.5 prior to 6.5 U1 and 6.0 prior to 6.0 U3c) does not correctly handle specially crafted LDAP network packets which may allow for remote denial of service.

6.1 2016-08-07 CVE-2016-5331

CRLF injection vulnerability in VMware vCenter Server 6.0 before U2 and ESXi 6.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

7.6 2016-04-15 CVE-2016-2076

Client Integration Plugin (CIP) in VMware vCenter Server 5.5 U3a, U3b, and U3c and 6.0 before U2; vCloud Director 5.5.5; and vRealize Automation Identity Appliance 6.2.4 before 6.2.4.1 mishandles session content, which allows remote attackers to hijack sessions via a crafted web site.

CWE : Common Weakness Enumeration

%idName
23% (3) CWE-787 Out-of-bounds Write
7% (1) CWE-613 Insufficient Session Expiration
7% (1) CWE-532 Information Leak Through Log Files
7% (1) CWE-522 Insufficiently Protected Credentials
7% (1) CWE-502 Deserialization of Untrusted Data
7% (1) CWE-416 Use After Free
7% (1) CWE-287 Improper Authentication
7% (1) CWE-200 Information Exposure
7% (1) CWE-125 Out-of-bounds Read
7% (1) CWE-93 Failure to Sanitize CRLF Sequences ('CRLF Injection')
7% (1) CWE-90 Failure to Sanitize Data into LDAP Queries ('LDAP Injection')

Nessus® Vulnerability Scanner

id Description
2017-11-17 Name: A virtualization management application installed on the remote host is affec...
File: vmware_vcenter_vmsa-2017-0017.nasl - Type: ACT_GATHER_INFO
2016-08-12 Name: The remote VMware ESXi host is affected by multiple vulnerabilities.
File: vmware_VMSA-2016-0010_remote.nasl - Type: ACT_GATHER_INFO
2016-08-11 Name: A virtualization management application installed on the remote host is affec...
File: vmware_vcenter_vmsa-2016-0010.nasl - Type: ACT_GATHER_INFO
2016-04-26 Name: A virtualization management application installed on the remote host is affec...
File: vmware_vcenter_vmsa-2016-0004.nasl - Type: ACT_GATHER_INFO
2016-04-26 Name: A virtualization appliance installed on the remote host is affected by a sess...
File: vmware_vcloud_director_vmsa-2016-0004.nasl - Type: ACT_GATHER_INFO