CVE-2017-4928

The flash-based vSphere Web Client (6.0 prior to 6.0 U3c and 5.5 prior to 5.5 U3f) i.e. not the new HTML5-based vSphere Client, contains SSRF and CRLF injection issues due to improper neutralization of URLs. An attacker may exploit these issues by sending a POST request with modified headers towards internal services leading to information disclosure.
References
Link Resource
https://www.vmware.com/security/advisories/VMSA-2017-0017.html Patch Vendor Advisory
http://www.securitytracker.com/id/1039759 Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/101785 Third Party Advisory VDB Entry
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

OR cpe:2.3:a:vmware:vcenter_server:5.5:*:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server:5.5:b:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server:5.5:3d:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server:5.5:3e:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server:6.0:2:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server:6.0:2a:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server:6.0:3:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server:5.5:1c:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server:5.5:2:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server:5.5:2b:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server:5.5:2d:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server:6.0:a:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server:6.0:b:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server:6.0:*:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server:6.0:2m:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server:5.5:1:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server:5.5:1a:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server:5.5:c:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server:5.5:1b:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server:5.5:2e:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server:5.5:3:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server:5.5:3a:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server:5.5:3b:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server:6.0:3a:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server:6.0:3b:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server:6.0:1:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server:6.0:1b:*:*:*:*:*:*

Information

Published : 2017-11-17 06:29

Updated : 2018-10-30 09:27


NVD link : CVE-2017-4928

Mitre link : CVE-2017-4928


JSON object : View

CWE
CWE-352

Cross-Site Request Forgery (CSRF)

CWE-918

Server-Side Request Forgery (SSRF)

Advertisement

dedicated server usa

Products Affected

vmware

  • vcenter_server