CVE-2010-1139

Format string vulnerability in vmrun in VMware VIX API 1.6.x, VMware Workstation 6.5.x before 6.5.4 build 246459, VMware Player 2.5.x before 2.5.4 build 246459, and VMware Server 2.x on Linux, and VMware Fusion 2.x before 2.0.7 build 246742, allows local users to gain privileges via format string specifiers in process metadata.

CVSS v2.0 7.2 HIGH

7.2^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:L/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 3.9 / Impact : 10.0

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://secunia.com/advisories/39206	Vendor Advisory
http://secunia.com/advisories/39215	Vendor Advisory
http://secunia.com/advisories/39201	Vendor Advisory
http://archives.neohapsis.com/archives/fulldisclosure/2010-04/0121.html
http://lists.vmware.com/pipermail/security-announce/2010/000090.html	Vendor Advisory Patch
http://www.vmware.com/security/advisories/VMSA-2010-0007.html	Patch Vendor Advisory
http://archives.neohapsis.com/archives/bugtraq/2010-04/0077.html
http://www.securityfocus.com/bid/39407
http://www.securitytracker.com/id?1023835
http://osvdb.org/63606
http://security.gentoo.org/glsa/glsa-201209-25.xml

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:vmware:workstation:6.5.3:::::::*
	cpe:2.3:a:vmware:workstation:6.5.0:::::::*
	cpe:2.3:a:vmware:workstation:6.5.1:::::::*
	cpe:2.3:a:vmware:workstation:6.5.2:::::::*

Configuration 2 (hide)

AND

OR	cpe:2.3:a:vmware:player:2.5.1:::::::*
	cpe:2.3:a:vmware:player:2.5.2:::::::*
	cpe:2.3:a:vmware:player:2.5:::::::*

OR	cpe:2.3:a:vmware:player:2.5.3:::::::*
	cpe:2.3:o:linux:linux_kernel::::::::

Configuration 3 (hide)

AND

OR	cpe:2.3:a:vmware:server:2.0.1:::::::*
	cpe:2.3:a:vmware:server:2.0.2:::::::*
	cpe:2.3:a:vmware:server:2.0.0:::::::*

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Configuration 4 (hide)

OR	cpe:2.3:a:vmware:fusion:2.0.4:::::::*
	cpe:2.3:a:vmware:fusion:2.0.5:::::::*
	cpe:2.3:a:vmware:fusion:2.0.6:::::::*
	cpe:2.3:a:vmware:fusion:2.0.1:::::::*
	cpe:2.3:a:vmware:fusion:2.0.2:::::::*
	cpe:2.3:a:vmware:fusion:2.0.3:::::::*
	cpe:2.3:a:vmware:fusion:2.0:::::::*

Configuration 5 (hide)

OR	cpe:2.3:a:vmware:vix_api:1.6.0:::::::*
	cpe:2.3:a:vmware:vix_api:1.6.1:::::::*

Information

Published : 2010-04-12 11:30

Updated : 2013-05-14 20:07

NVD link : CVE-2010-1139

Mitre link : CVE-2010-1139

JSON object : View

CWE

CWE-134

Use of Externally-Controlled Format String

Products Affected

vmware

vix_api
workstation
player
fusion
server

linux

linux_kernel

7.2 /10