CVE-2016-2076 : Client Integration Plugin (CIP) in VMware vCenter Server 5.5 U3a, U3b, and U3c a

Client Integration Plugin (CIP) in VMware vCenter Server 5.5 U3a, U3b, and U3c and 6.0 before U2; vCloud Director 5.5.5; and vRealize Automation Identity Appliance 6.2.4 before 6.2.4.1 mishandles session content, which allows remote attackers to hijack sessions via a crafted web site.

Published 2016-04-15 14:59:10

Updated 2025-04-12 10:46:41

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2016-2076

Vmware » Vcenter Server » Update 1B
Versions up to, including, (<=) 6.0
cpe:2.3:a:vmware:vcenter_server:*:1b:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 5.5 Update 3A
cpe:2.3:a:vmware:vcenter_server:5.5:3a:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 5.5 Update U3C
cpe:2.3:a:vmware:vcenter_server:5.5:u3c:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 5.5 Update 3B
cpe:2.3:a:vmware:vcenter_server:5.5:3b:*:*:*:*:*:*
Matching versions
Vmware » Vcloud Director » Version: 5.5.5
cpe:2.3:a:vmware:vcloud_director:5.5.5:*:*:*:*:*:*:*
Matching versions
Vmware » Vcloud Automation Identity Appliance » Version: 6.2.4
cpe:2.3:a:vmware:vcloud_automation_identity_appliance:6.2.4:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2016-2076

EPSS FAQ

0.44%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 60 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2016-2076

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
7.6	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L	2.8	4.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: Low Availability: Low

CWE ids for CVE-2016-2076

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-2076

http://www.vmware.com/security/advisories/VMSA-2016-0004.html

VMSA-2016-0004
Vendor Advisory
http://www.securitytracker.com/id/1035572

VMware vCenter Server VMware Client Integration Plugin Session Handling Flaw Lets Remote Users Hijack the Target User's Session - SecurityTracker
Third Party Advisory
http://www.securitytracker.com/id/1035570

VMware vRealize Automation Identity Appliance VMware Client Integration Plugin Session Handling Flaw Lets Remote Users Hijack the Target User's Session - SecurityTracker
Third Party Advisory
http://www.securitytracker.com/id/1035571

VMware vCloud Director VMware Client Integration Plugin Session Handling Flaw Lets Remote Users Hijack the Target User's Session - SecurityTracker
Third Party Advisory

Jump to

Vulnerability Details : CVE-2016-2076

Products affected by CVE-2016-2076

Exploit prediction scoring system (EPSS) score for CVE-2016-2076

CVSS scores for CVE-2016-2076

CWE ids for CVE-2016-2076

References for CVE-2016-2076