Executive Summary
Summary | |
---|---|
Title | VMware vSphere Client updates address security vulnerabilities |
Informations | |||
---|---|---|---|
Name | VMSA-2014-0003 | First vendor Publication | 2014-04-10 |
Vendor | VMware | Last vendor Modification | 2014-04-10 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
a. vSphere Client Insecure Client Download vSphere Client contains a vulnerability in accepting an updated vSphere Client file from an untrusted source. The vulnerability may allow a host to direct vSphere Client to download and execute an arbitrary file from any URI. This issue can be exploited if the host has been compromised or if a user has been tricked into clicking a malicious link. VMware would like to thank Recurity Labs GmbH and the Bundesamt Sicherheit in der Informationstechnik (BSI) for reporting this issue to us The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-1209 to this issue. b. VMware vSphere Client spoofing vulnerability VMware vSphere Client contains a vulnerability in the validation of the server security certificate. Exploitation of the issue may lead to vCenter server being spoofed. A user would have to be tricked into clicking a malicious link. VMware would like to thank Recurity Labs GmbH and the Bundesamt Sicherheit in der Informationstechnik (BSI) for reporting this issue to us The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-1210 to this issue. |
Original Source
Url : http://www.vmware.com/security/advisories/VMSA-2014-0003.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-310 | Cryptographic Issues |
50 % | CWE-20 | Improper Input Validation |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 4 |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2014-04-17 | IAVM : 2014-B-0043 - Multiple Security Vulnerabilities in VMware vSphere Client Severity : Category II - VMSKEY : V0049573 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-12-30 | Name : The remote VMware ESX / ESXi host is missing a security-related patch. File : vmware_VMSA-2014-0003_remote.nasl - Type : ACT_GATHER_INFO |
2014-04-17 | Name : The remote host has a virtualization client application installed that is aff... File : vsphere_client_vmsa_2014-0003.nasl - Type : ACT_GATHER_INFO |
2014-04-11 | Name : The remote VMware ESXi / ESX host is missing a security-related patch. File : vmware_VMSA-2014-0003.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2015-12-31 13:26:17 |
|
2014-04-18 21:24:39 |
|
2014-04-18 13:25:58 |
|
2014-04-15 13:26:36 |
|
2014-04-12 13:22:57 |
|
2014-04-12 00:23:14 |
|
2014-04-11 09:19:41 |
|