Vulnerability Details : CVE-2017-4952
VMware Xenon 1.x, prior to 1.5.4-CR7_1, 1.5.7_7, 1.5.4-CR6_2, 1.3.7-CR1_2, 1.1.0-CR0-3, 1.1.0-CR3_1,1.4.2-CR4_1, and 1.5.4_8, contains an authentication bypass vulnerability due to insufficient access controls for utility endpoints. Successful exploitation of this issue may result in information disclosure.
Vulnerability category: Information leak
Products affected by CVE-2017-4952
- cpe:2.3:a:vmware:xenon:*:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:xenon:1.3.7:cr1_2:*:*:*:*:*:*
- cpe:2.3:a:vmware:xenon:1.5.7_7:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:xenon:1.5.4:cr6_1:*:*:*:*:*:*
- cpe:2.3:a:vmware:xenon:1.5.4:cr7:*:*:*:*:*:*
- cpe:2.3:a:vmware:xenon:1.1.0:cr0-3:*:*:*:*:*:*
- cpe:2.3:a:vmware:xenon:1.1.0:cr3_1:*:*:*:*:*:*
- cpe:2.3:a:vmware:xenon:1.5.4:cr2:*:*:*:*:*:*
- cpe:2.3:a:vmware:xenon:1.5.4:cr3:*:*:*:*:*:*
- cpe:2.3:a:vmware:xenon:1.5.4:cr4:*:*:*:*:*:*
- cpe:2.3:a:vmware:xenon:1.5.4:cr5:*:*:*:*:*:*
- cpe:2.3:a:vmware:xenon:1.4.2:cr4_1:*:*:*:*:*:*
- cpe:2.3:a:vmware:xenon:1.5.4_8:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:xenon:1.5.4:cr6:*:*:*:*:*:*
- cpe:2.3:a:vmware:xenon:1.5.4:cr6_2:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-4952
0.36%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 72 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-4952
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2017-4952
-
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-4952
-
https://github.com/vmware/xenon/commit/7a747d82b80cd38d2c11a0d9cdedb71c722a2c75
Add auth to UtilityService · vmware/xenon@7a747d8 · GitHubPatch;Third Party Advisory
-
http://www.securityfocus.com/bid/103093
VMware Xenon CVE-2017-4952 Authentication Bypass VulnerabilityThird Party Advisory;VDB Entry
-
https://github.com/vmware/xenon/commit/b1fd306047ecdac82661d636ebee801a7f2b3a0a
Add auth to UtilityService · vmware/xenon@b1fd306 · GitHubPatch;Third Party Advisory
-
http://seclists.org/oss-sec/2018/q1/153
oss-sec: Authentication Bypass Vulnerability in VMware Xenon (CVE-2017-4952)Mailing List;Third Party Advisory
-
https://github.com/vmware/xenon/commit/055ae13603f0cc3cd7cf59f20ce314bf8db583e1
Add auth to UtilityService · vmware/xenon@055ae13 · GitHubPatch;Third Party Advisory
-
https://github.com/vmware/xenon/commit/c23964eb57e846126daef98ef7ed15400313e977
Add auth to UtilityService · vmware/xenon@c23964e · GitHubPatch;Third Party Advisory
-
https://github.com/vmware/xenon/commit/ec30db9afada9cb52852082ce4d7d0095524f3b3
Add auth to UtilityService · vmware/xenon@ec30db9 · GitHubPatch;Third Party Advisory
-
https://github.com/vmware/xenon/commit/06b9947cf603ba40fd8b03bfeb2e84528a7ab592
Add auth to UtilityService · vmware/xenon@06b9947 · GitHubPatch;Third Party Advisory
-
https://github.com/vmware/xenon/commit/756d893573414eec8635c2aba2345c4dcf10b21c
Add auth to UtilityService · vmware/xenon@756d893 · GitHubPatch;Third Party Advisory
-
https://github.com/vmware/xenon/commit/5682ef8d40569afd00fb9a5933e7706bb5b66713
Add auth to UtilityService · vmware/xenon@5682ef8 · GitHubPatch;Third Party Advisory
-
https://github.com/vmware/xenon/commit/30ae41bccf418d88b52b35a81efb3c1304b798f8
Add auth to UtilityService · vmware/xenon@30ae41b · GitHubPatch;Third Party Advisory
Jump to