Vulnerability Details : CVE-2017-4919
VMware vCenter Server 5.5, 6.0, 6.5 allows vSphere users with certain, limited vSphere privileges to use the VIX API to access Guest Operating Systems without the need to authenticate.
Products affected by CVE-2017-4919
- cpe:2.3:a:vmware:vcenter_server:5.5:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.5:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-4919
0.92%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 74 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-4919
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
|
9.0
|
CRITICAL | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
2.2
|
6.0
|
NIST |
CWE ids for CVE-2017-4919
-
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-4919
-
http://www.vmware.com/security/advisories/VMSA-2017-0012.html
VMSA-2017-0012Mitigation;Vendor Advisory
-
http://www.securitytracker.com/id/1039004
VMware vCenter Server VIX API Direct Access Function Lets Remote Authenticated vSphere Users Access the Target Guest System - SecurityTrackerThird Party Advisory;VDB Entry
-
http://www.securityfocus.com/bid/100102
VMware vCenter Server CVE-2017-4919 Local Authentication Bypass VulnerabilityThird Party Advisory;VDB Entry
Jump to