Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Vmware Subscribe
Total 780 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-38650 1 Vmware 1 Hyperic Server 2022-11-16 N/A 10.0 CRITICAL
** UNSUPPORTED WHEN ASSIGNED ** A remote unauthenticated insecure deserialization vulnerability exists in VMware Hyperic Server 5.8.6. Exploitation of this vulnerability enables a malicious party to run arbitrary code or malware within Hyperic Server and the host operating system with the privileges of the Hyperic server process. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2022-38652 1 Vmware 1 Hyperic Agent 2022-11-16 N/A 9.9 CRITICAL
** UNSUPPORTED WHEN ASSIGNED ** A remote insecure deserialization vulnerability exixsts in VMWare Hyperic Agent 5.8.6. Exploitation of this vulnerability enables a malicious authenticated user to run arbitrary code or malware within a Hyperic Agent instance and its host operating system with the privileges of the Hyperic Agent process (often SYSTEM on Windows platforms). NOTE: prior exploitation of CVE-2022-38650 results in the disclosure of the authentication material required to exploit this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2022-38651 1 Vmware 1 Hyperic Server 2022-11-16 N/A 9.8 CRITICAL
** UNSUPPORTED WHEN ASSIGNED ** A security filter misconfiguration exists in VMware Hyperic Server 5.8.6. Exploitation of this vulnerability enables a malicious party to bypass some authentication requirements when issuing requests to Hyperic Server. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2022-31676 6 Debian, Fedoraproject, Linux and 3 more 6 Debian Linux, Fedora, Linux Kernel and 3 more 2022-11-16 N/A 7.8 HIGH
VMware Tools (12.0.0, 11.x.y and 10.x.y) contains a local privilege escalation vulnerability. A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine.
CVE-2022-31691 1 Vmware 5 Bosh Editor, Cloudfoundry Manifest Yml Support, Concourse Ci Pipeline Editor and 2 more 2022-11-14 N/A 9.8 CRITICAL
Spring Tools 4 for Eclipse version 4.16.0 and below as well as VSCode extensions such as Spring Boot Tools, Concourse CI Pipeline Editor, Bosh Editor and Cloudfoundry Manifest YML Support version 1.39.0 and below all use Snakeyaml library for YAML editing support. This library allows for some special syntax in the YAML that under certain circumstances allows for potentially harmful remote code execution by the attacker.
CVE-2022-31689 1 Vmware 1 Workspace One Assist 2022-11-10 N/A 9.8 CRITICAL
VMware Workspace ONE Assist prior to 22.10 contains a Session fixation vulnerability. A malicious actor who obtains a valid session token may be able to authenticate to the application using that token.
CVE-2022-31688 1 Vmware 1 Workspace One Assist 2022-11-10 N/A 6.1 MEDIUM
VMware Workspace ONE Assist prior to 22.10 contains a Reflected cross-site scripting (XSS) vulnerability. Due to improper user input sanitization, a malicious actor with some user interaction may be able to inject javascript code in the target user's window.
CVE-2022-31686 1 Vmware 1 Workspace One Assist 2022-11-10 N/A 9.8 CRITICAL
VMware Workspace ONE Assist prior to 22.10 contains a Broken Authentication Method vulnerability. A malicious actor with network access to Workspace ONE Assist may be able to obtain administrative access without the need to authenticate to the application.
CVE-2022-31687 1 Vmware 1 Workspace One Assist 2022-11-10 N/A 9.8 CRITICAL
VMware Workspace ONE Assist prior to 22.10 contains a Broken Access Control vulnerability. A malicious actor with network access to Workspace ONE Assist may be able to obtain administrative access without the need to authenticate to the application.
CVE-2022-31685 1 Vmware 1 Workspace One Assist 2022-11-10 N/A 9.8 CRITICAL
VMware Workspace ONE Assist prior to 22.10 contains an Authentication Bypass vulnerability. A malicious actor with network access to Workspace ONE Assist may be able to obtain administrative access without the need to authenticate to the application.
CVE-2022-31008 1 Vmware 1 Rabbitmq 2022-11-07 N/A 7.5 HIGH
RabbitMQ is a multi-protocol messaging and streaming broker. In affected versions the shovel and federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt the URI was seeded with a predictable secret. This means that in case of certain exceptions related to Shovel and Federation plugins, reasonably easily deobfuscatable data could appear in the node log. Patched versions correctly use a cluster-wide secret for that purpose. This issue has been addressed and Patched versions: `3.10.2`, `3.9.18`, `3.8.32` are available. Users unable to upgrade should disable the Shovel and Federation plugins.
CVE-2021-22057 2 Linux, Vmware 2 Linux Kernel, Workspace One Access 2022-11-03 6.5 MEDIUM 8.8 HIGH
VMware Workspace ONE Access 21.08, 20.10.0.1, and 20.10 contain an authentication bypass vulnerability. A malicious actor, who has successfully provided first-factor authentication, may be able to obtain second-factor authentication provided by VMware Verify.
CVE-2022-31678 1 Vmware 2 Cloud Foundation, Nsx Data Center 2022-10-31 N/A 9.1 CRITICAL
VMware Cloud Foundation (NSX-V) contains an XML External Entity (XXE) vulnerability. On VCF 3.x instances with NSX-V deployed, this may allow a user to exploit this issue leading to a denial-of-service condition or unintended information disclosure.
CVE-2021-22118 3 Netapp, Oracle, Vmware 32 Hci, Management Services For Element Software, Commerce Guided Search and 29 more 2022-10-25 4.6 MEDIUM 7.8 HIGH
In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.
CVE-2021-22117 2 Microsoft, Vmware 2 Windows, Rabbitmq 2022-10-25 4.6 MEDIUM 7.8 HIGH
RabbitMQ installers on Windows prior to version 3.8.16 do not harden plugin directory permissions, potentially allowing attackers with sufficient local filesystem permissions to add arbitrary plugins.
CVE-2021-22116 2 Debian, Vmware 2 Debian Linux, Rabbitmq 2022-10-25 4.3 MEDIUM 7.5 HIGH
RabbitMQ all versions prior to 3.8.16 are prone to a denial of service vulnerability due to improper input validation in AMQP 1.0 client connection endpoint. A malicious user can exploit the vulnerability by sending malicious AMQP messages to the target RabbitMQ instance having the AMQP 1.0 plugin enabled.
CVE-2021-22044 1 Vmware 1 Spring Cloud Openfeign 2022-10-25 5.0 MEDIUM 7.5 HIGH
In Spring Cloud OpenFeign 3.0.0 to 3.0.4, 2.2.0.RELEASE to 2.2.9.RELEASE, and older unsupported versions, applications using type-level `@RequestMapping`annotations over Feign client interfaces, can be involuntarily exposing endpoints corresponding to `@RequestMapping`-annotated interface methods.
CVE-2022-22968 3 Netapp, Oracle, Vmware 7 Active Iq Unified Manager, Cloud Secure Agent, Metrocluster Tiebreaker and 4 more 2022-10-19 5.0 MEDIUM 5.3 MEDIUM
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
CVE-2022-22947 2 Oracle, Vmware 10 Commerce Guided Search, Communications Cloud Native Core Binding Support Function, Communications Cloud Native Core Console and 7 more 2022-10-17 6.8 MEDIUM 10.0 CRITICAL
In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.
CVE-2022-31682 1 Vmware 1 Vrealize Operations 2022-10-13 N/A 4.9 MEDIUM
VMware Aria Operations contains an arbitrary file read vulnerability. A malicious actor with administrative privileges may be able to read arbitrary files containing sensitive data.