VMware Cloud Director contains a partial information disclosure vulnerability. A malicious actor can potentially gather information about organization names based on the behavior of the instance.
Max CVSS
4.3
EPSS Score
0.04%
Published
2024-03-07
Updated
2024-03-12
VMware Workstation and Fusion contain an out-of-bounds read vulnerability in the USB CCID (chip card interface device). A malicious actor with local administrative privileges on a virtual machine may trigger an out-of-bounds read leading to information disclosure.
Max CVSS
5.9
EPSS Score
0.04%
Published
2024-02-29
Updated
2024-02-29
Aria Operations for Networks contains a cross site scripting vulnerability. A malicious actor with admin privileges can inject a malicious payload into the login banner and takeover the user account.  
Max CVSS
4.8
EPSS Score
0.04%
Published
2024-02-06
Updated
2024-02-10
Aria Operations for Networks contains a local file read vulnerability. A malicious actor with admin privileges may exploit this vulnerability leading to unauthorized access to sensitive information.
Max CVSS
4.9
EPSS Score
0.05%
Published
2024-02-06
Updated
2024-02-10
Aria Operations for Networks contains a cross site scripting vulnerability. A malicious actor with admin privileges may be able to inject malicious code into user profile configurations due to improper input sanitization.
Max CVSS
6.4
EPSS Score
0.04%
Published
2024-02-06
Updated
2024-02-10
In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency.
Max CVSS
5.5
EPSS Score
0.04%
Published
2024-01-31
Updated
2024-02-09
VMware Aria Operations contains a local privilege escalation vulnerability. A malicious actor with administrative access to the local system can escalate privileges to 'root'.
Max CVSS
6.7
EPSS Score
0.04%
Published
2024-02-21
Updated
2024-02-22
RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API did not enforce an HTTP request body limit, making it vulnerable for denial of service (DoS) attacks with very large messages. An authenticated user with sufficient credentials can publish a very large messages over the HTTP API and cause target node to be terminated by an "out-of-memory killer"-like mechanism. This vulnerability has been patched in versions 3.11.24 and 3.12.7.
Max CVSS
4.9
EPSS Score
0.14%
Published
2023-10-25
Updated
2023-12-14
Workspace ONE Launcher contains a Privilege Escalation Vulnerability. A malicious actor with physical access to Workspace ONE Launcher could utilize the Edge Panel feature to bypass setup to gain access to sensitive information.
Max CVSS
4.6
EPSS Score
0.08%
Published
2023-12-12
Updated
2023-12-18
vCenter Server contains a partial information disclosure vulnerability. A malicious actor with non-administrative privileges to vCenter Server may leverage this issue to access unauthorized data.
Max CVSS
4.3
EPSS Score
N/A
Published
2023-10-25
Updated
2023-10-31
In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * org.springframework.boot:spring-boot-actuator is on the classpath
Max CVSS
6.5
EPSS Score
0.04%
Published
2023-11-28
Updated
2023-12-21
In spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class names were added to Spring AMQP, allowing users to lock down deserialization of data in messages from untrusted sources; however by default, when no allowed list was provided, all classes could be deserialized. Specifically, an application is vulnerable if * the SimpleMessageConverter or SerializerMessageConverter is used * the user does not configure allowed list patterns * untrusted message originators gain permissions to write messages to the RabbitMQ broker to send malicious content
Max CVSS
5.0
EPSS Score
0.05%
Published
2023-10-19
Updated
2023-10-25
A batch loader function in Spring for GraphQL versions 1.1.0 - 1.1.5 and 1.2.0 - 1.2.2 may be exposed to GraphQL context with values, including security context values, from a different session. An application is vulnerable if it provides a DataLoaderOptions instance when registering batch loader functions through DefaultBatchLoaderRegistry.
Max CVSS
4.3
EPSS Score
0.06%
Published
2023-09-20
Updated
2023-10-18
VMware Aria Operations contains a local privilege escalation vulnerability. A malicious actor with administrative access to the local system can escalate privileges to 'root'.
Max CVSS
6.7
EPSS Score
0.04%
Published
2023-09-27
Updated
2023-09-29
The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system. While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical Resource” and could result in an exploit. Users should update to the latest version of Spring Security to mitigate any future exploits found around this issue.
Max CVSS
5.5
EPSS Score
0.04%
Published
2024-02-05
Updated
2024-02-12
VMware Horizon Server contains an information disclosure vulnerability. A malicious actor with network access may be able to access information relating to the internal network configuration.
Max CVSS
5.3
EPSS Score
0.05%
Published
2023-08-04
Updated
2023-08-09
VMware Horizon Server contains a HTTP request smuggling vulnerability. A malicious actor with network access may be able to perform HTTP smuggle requests.
Max CVSS
5.3
EPSS Score
0.05%
Published
2023-08-04
Updated
2023-08-09
Reactive web applications that use Spring HATEOAS to produce hypermedia-based responses might be exposed to malicious forwarded headers if they are not behind a trusted proxy that ensures correctness of such headers, or if they don't have anything else in place to handle (and possibly discard) forwarded headers either in WebFlux or at the level of the underlying HTTP server. For the application to be affected, it needs to satisfy the following requirements: * It needs to use the reactive web stack (Spring WebFlux) and Spring HATEOAS to create links in hypermedia-based responses. * The application infrastructure does not guard against clients submitting (X-)Forwarded… headers.
Max CVSS
5.3
EPSS Score
0.05%
Published
2023-07-17
Updated
2023-07-17
The VMware Tanzu Application Service for VMs and Isolation Segment contain an information disclosure vulnerability due to the logging of credentials in hex encoding in platform system audit logs. A malicious non-admin user who has access to the platform system audit logs can access hex encoded CF API admin credentials and can push new malicious versions of an application. In a default deployment non-admin users do not have access to the platform system audit logs.
Max CVSS
6.5
EPSS Score
0.05%
Published
2023-07-26
Updated
2023-08-03
VMware Workspace ONE Access and VMware Identity Manager contain an insecure redirect vulnerability. An unauthenticated malicious actor may be able to redirect a victim to an attacker controlled domain due to improper path handling leading to sensitive information disclosure.
Max CVSS
6.1
EPSS Score
0.05%
Published
2023-05-30
Updated
2023-06-05
VMware Aria Operations contains a privilege escalation vulnerability. A malicious actor with administrative access to the local system can escalate privileges to 'root'.
Max CVSS
6.7
EPSS Score
0.04%
Published
2023-05-12
Updated
2023-05-24
VMware Aria Operations contains a Local privilege escalation vulnerability. A malicious actor with administrative privileges in the Aria Operations application can gain root access to the underlying operating system.
Max CVSS
6.7
EPSS Score
0.04%
Published
2023-05-12
Updated
2023-06-02
VMware Workstation and Fusion contain an out-of-bounds read vulnerability that exists in the functionality for sharing host Bluetooth devices with the virtual machine.
Max CVSS
6.0
EPSS Score
0.10%
Published
2023-04-25
Updated
2023-05-04
NSX-T contains a reflected cross-site scripting vulnerability due to a lack of input validation. A remote attacker can inject HTML or JavaScript to redirect to malicious pages.
Max CVSS
6.1
EPSS Score
0.06%
Published
2023-05-26
Updated
2023-06-02
In Spring Session version 3.0.0, the session id can be logged to the standard output stream. This vulnerability exposes sensitive information to those who have access to the application logs and can be used for session hijacking. Specifically, an application is vulnerable if it is using HeaderHttpSessionIdResolver.
Max CVSS
6.5
EPSS Score
0.05%
Published
2023-04-13
Updated
2023-04-21
333 vulnerabilities found
1 2 3 4 5 6 7 8 9 10 11 12 13 14
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!