PT-2017-16211 · Vmware · Vsphere Web Client+1

Publicado

2017-11-17

Atualizado

2018-10-30

CVE-2017-4928

CVSS v3.1

7.5

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions vSphere Web Client versions 6.0 prior to 6.0 U3c vSphere Web Client versions 5.5 prior to 5.5 U3f

Description The flash-based vSphere Web Client contains issues due to improper neutralization of URLs, specifically Server-Side Request Forgery (SSRF) and CRLF injection. An attacker may exploit these issues by sending a POST request with modified headers towards internal services, leading to information disclosure.

Recommendations For vSphere Web Client versions 6.0 prior to 6.0 U3c, update to version 6.0 U3c or later. For vSphere Web Client versions 5.5 prior to 5.5 U3f, update to version 5.5 U3f or later.

Correção

CSRF

SSRF

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-352CWE-918

Identificadores relacionados

CVE-2017-4928

Produtos afetados

Vmware Vcenter

Vsphere Web Client

PT-2017-16211 · Vmware · Vsphere Web Client+1

CVE-2017-4928

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 5