CVE-2019-5534 : VMware vCenter Server (6.7.x prior to 6.7 U3, 6.5 prior to 6.5 U3 and 6.0 prior

VMware vCenter Server (6.7.x prior to 6.7 U3, 6.5 prior to 6.5 U3 and 6.0 prior to 6.0 U3j) contains an information disclosure vulnerability where Virtual Machines deployed from an OVF could expose login information via the virtual machine's vAppConfig properties. A malicious actor with access to query the vAppConfig properties of a virtual machine deployed from an OVF may be able to view the credentials used to deploy the OVF (typically the root account of the virtual machine).

Published 2019-09-18 21:15:13

Updated 2022-04-22 19:49:47

Source VMware

View at NVD, CVE.org

Vulnerability category: Information leak

Products affected by CVE-2019-5534

Vmware » Vcenter Server » Version: 6.0
cpe:2.3:a:vmware:vcenter_server:6.0:*:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.0 Update A
cpe:2.3:a:vmware:vcenter_server:6.0:a:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.0 Update B
cpe:2.3:a:vmware:vcenter_server:6.0:b:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.5
cpe:2.3:a:vmware:vcenter_server:6.5:*:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.5 Update C
cpe:2.3:a:vmware:vcenter_server:6.5:c:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.5 Update B
cpe:2.3:a:vmware:vcenter_server:6.5:b:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.5 Update A
cpe:2.3:a:vmware:vcenter_server:6.5:a:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.5 Update D
cpe:2.3:a:vmware:vcenter_server:6.5:d:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.0 Update U3
cpe:2.3:a:vmware:vcenter_server:6.0:u3:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.0 Update U1
cpe:2.3:a:vmware:vcenter_server:6.0:u1:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.0 Update U1B
cpe:2.3:a:vmware:vcenter_server:6.0:u1b:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.7 Update D
cpe:2.3:a:vmware:vcenter_server:6.7:d:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.7 Update C
cpe:2.3:a:vmware:vcenter_server:6.7:c:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.7 Update A
cpe:2.3:a:vmware:vcenter_server:6.7:a:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.7 Update B
cpe:2.3:a:vmware:vcenter_server:6.7:b:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.7
cpe:2.3:a:vmware:vcenter_server:6.7:*:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.5 Update Update1
cpe:2.3:a:vmware:vcenter_server:6.5:update1:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.5 Update Update1b
cpe:2.3:a:vmware:vcenter_server:6.5:update1b:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.5 Update Update1c
cpe:2.3:a:vmware:vcenter_server:6.5:update1c:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.5 Update Update1d
cpe:2.3:a:vmware:vcenter_server:6.5:update1d:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.5 Update Update1e
cpe:2.3:a:vmware:vcenter_server:6.5:update1e:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.5 Update Update1g
cpe:2.3:a:vmware:vcenter_server:6.5:update1g:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.5 Update Update2
cpe:2.3:a:vmware:vcenter_server:6.5:update2:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.5 Update Update2b
cpe:2.3:a:vmware:vcenter_server:6.5:update2b:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.5 Update Update2c
cpe:2.3:a:vmware:vcenter_server:6.5:update2c:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.5 Update Update2d
cpe:2.3:a:vmware:vcenter_server:6.5:update2d:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.5 Update Update2g
cpe:2.3:a:vmware:vcenter_server:6.5:update2g:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.7 Update Update1
cpe:2.3:a:vmware:vcenter_server:6.7:update1:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.7 Update Update1b
cpe:2.3:a:vmware:vcenter_server:6.7:update1b:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.7 Update Update2
cpe:2.3:a:vmware:vcenter_server:6.7:update2:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.7 Update Update2a
cpe:2.3:a:vmware:vcenter_server:6.7:update2a:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.7 Update Update2c
cpe:2.3:a:vmware:vcenter_server:6.7:update2c:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.0 Update Update2m
cpe:2.3:a:vmware:vcenter_server:6.0:update2m:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.0 Update Update2a
cpe:2.3:a:vmware:vcenter_server:6.0:update2a:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.0 Update Update3a
cpe:2.3:a:vmware:vcenter_server:6.0:update3a:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.0 Update Update3f
cpe:2.3:a:vmware:vcenter_server:6.0:update3f:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.0 Update Update3g
cpe:2.3:a:vmware:vcenter_server:6.0:update3g:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.0 Update Update3h
cpe:2.3:a:vmware:vcenter_server:6.0:update3h:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.0 Update Update3i
cpe:2.3:a:vmware:vcenter_server:6.0:update3i:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.0 Update Update2
cpe:2.3:a:vmware:vcenter_server:6.0:update2:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.0 Update Update3b
cpe:2.3:a:vmware:vcenter_server:6.0:update3b:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.0 Update Update3d
cpe:2.3:a:vmware:vcenter_server:6.0:update3d:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.0 Update Update3c
cpe:2.3:a:vmware:vcenter_server:6.0:update3c:*:*:*:*:*:*
Matching versions
Vmware » Vcenter Server » Version: 6.0 Update Update3e
cpe:2.3:a:vmware:vcenter_server:6.0:update3e:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2019-5534

EPSS FAQ

0.95%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 75 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-5534

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.0	MEDIUM	AV:N/AC:L/Au:S/C:P/I:N/A:N	8.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
7.7	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N	3.1	4.0	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2019-5534

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)
CWE-522 Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-5534

http://packetstormsecurity.com/files/154536/VMware-Security-Advisory-2019-0013.html

VMware Security Advisory 2019-0013 ≈ Packet Storm
Third Party Advisory;VDB Entry

CVEs referencing this url
https://www.vmware.com/security/advisories/VMSA-2019-0013.html

VMSA-2019-0013.1
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2019-5534

Products affected by CVE-2019-5534

Exploit prediction scoring system (EPSS) score for CVE-2019-5534

CVSS scores for CVE-2019-5534

CWE ids for CVE-2019-5534

References for CVE-2019-5534