Filtered by vendor Vmware
Subscribe
Total
922 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-5413 | 2 Oracle, Vmware | 8 Banking Corporate Lending Process Management, Banking Credit Facilities Process Management, Banking Supply Chain Finance and 5 more | 2022-05-12 | 7.5 HIGH | 9.8 CRITICAL |
| Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown "deserialization gadgets" when configuring Kryo in code. | |||||
| CVE-2020-3965 | 1 Vmware | 4 Cloud Foundation, Esxi, Fusion and 1 more | 2022-05-03 | 2.1 LOW | 5.5 MEDIUM |
| VMware ESXi (7.0 before ESXi_7.0.0-1.20.16321839, 6.7 before ESXi670-202006401-SG and 6.5 before ESXi650-202005401-SG), Workstation (15.x before 15.5.2), and Fusion (11.x before 11.5.2) contain an information leak in the XHCI USB controller. A malicious actor with local access to a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine. | |||||
| CVE-2020-3964 | 1 Vmware | 4 Cloud Foundation, Esxi, Fusion and 1 more | 2022-05-03 | 1.9 LOW | 4.7 MEDIUM |
| VMware ESXi (7.0 before ESXi_7.0.0-1.20.16321839, 6.7 before ESXi670-202006401-SG and 6.5 before ESXi650-202005401-SG), Workstation (15.x before 15.5.2), and Fusion (11.x before 11.5.2) contain an information leak in the EHCI USB controller. A malicious actor with local access to a virtual machine may be able to read privileged information contained in the hypervisor's memory. Additional conditions beyond the attacker's control need to be present for exploitation to be possible. | |||||
| CVE-2021-22096 | 3 Netapp, Oracle, Vmware | 8 Active Iq Unified Manager, Management Services For Element Software And Netapp Hci, Metrocluster Tiebreaker and 5 more | 2022-04-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. | |||||
| CVE-2019-5534 | 1 Vmware | 1 Vcenter Server | 2022-04-22 | 4.0 MEDIUM | 7.7 HIGH |
| VMware vCenter Server (6.7.x prior to 6.7 U3, 6.5 prior to 6.5 U3 and 6.0 prior to 6.0 U3j) contains an information disclosure vulnerability where Virtual Machines deployed from an OVF could expose login information via the virtual machine's vAppConfig properties. A malicious actor with access to query the vAppConfig properties of a virtual machine deployed from an OVF may be able to view the credentials used to deploy the OVF (typically the root account of the virtual machine). | |||||
| CVE-2019-5532 | 1 Vmware | 1 Vcenter Server | 2022-04-22 | 4.0 MEDIUM | 7.7 HIGH |
| VMware vCenter Server (6.7.x prior to 6.7 U3, 6.5 prior to 6.5 U3 and 6.0 prior to 6.0 U3j) contains an information disclosure vulnerability due to the logging of credentials in plain-text for virtual machines deployed through OVF. A malicious user with access to the log files containing vCenter OVF-properties of a virtual machine deployed from an OVF may be able to view the credentials used to deploy the OVF (typically the root account of the virtual machine). | |||||
| CVE-2022-22966 | 1 Vmware | 1 Vcloud Director | 2022-04-22 | 6.5 MEDIUM | 7.2 HIGH |
| An authenticated, high privileged malicious actor with network access to the VMware Cloud Director tenant or provider may be able to exploit a remote code execution vulnerability to gain access to the server. | |||||
| CVE-2022-22959 | 2 Linux, Vmware | 6 Linux Kernel, Cloud Foundation, Identity Manager and 3 more | 2022-04-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a cross site request forgery vulnerability. A malicious actor can trick a user through a cross site request forgery to unintentionally validate a malicious JDBC URI. | |||||
| CVE-2014-0097 | 1 Vmware | 1 Spring Security | 2022-04-20 | 7.5 HIGH | 7.3 HIGH |
| The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password. | |||||
| CVE-2021-22055 | 1 Vmware | 1 Photon Os | 2022-04-18 | 5.0 MEDIUM | 5.3 MEDIUM |
| The SchedulerServer in Vmware photon allows remote attackers to inject logs through \r in the package parameter. Attackers can also insert malicious data and fake entries. | |||||
| CVE-2014-0054 | 2 Springsource, Vmware | 2 Spring Framework, Spring Framework | 2022-04-11 | 6.8 MEDIUM | N/A |
| The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429. | |||||
| CVE-2013-7315 | 2 Springsource, Vmware | 2 Spring Framework, Spring Framework | 2022-04-11 | 6.8 MEDIUM | N/A |
| The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions. | |||||
| CVE-2013-4152 | 2 Springsource, Vmware | 2 Spring Framework, Spring Framework | 2022-04-11 | 6.8 MEDIUM | N/A |
| The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue. | |||||
| CVE-2015-3192 | 3 Fedoraproject, Pivotal Software, Vmware | 3 Fedora, Spring Framework, Spring Framework | 2022-04-11 | 4.3 MEDIUM | 5.5 MEDIUM |
| Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file. | |||||
| CVE-2018-1258 | 5 Netapp, Oracle, Pivotal Software and 2 more | 42 Oncommand Insight, Oncommand Unified Manager, Oncommand Workflow Automation and 39 more | 2022-04-11 | 6.5 MEDIUM | 8.8 HIGH |
| Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted. | |||||
| CVE-2016-5007 | 2 Pivotal Software, Vmware | 3 Spring Framework, Spring Framework, Spring Security | 2022-04-11 | 5.0 MEDIUM | 7.5 HIGH |
| Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences. | |||||
| CVE-2015-0201 | 2 Pivotal Software, Vmware | 2 Spring Framework, Spring Framework | 2022-04-11 | 5.0 MEDIUM | N/A |
| The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors. | |||||
| CVE-2016-9878 | 2 Pivotal Software, Vmware | 2 Spring Framework, Spring Framework | 2022-04-11 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks. | |||||
| CVE-2014-3625 | 2 Pivotal Software, Vmware | 2 Spring Framework, Spring Framework | 2022-04-11 | 5.0 MEDIUM | N/A |
| Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling. | |||||
| CVE-2014-0225 | 2 Pivotal Software, Vmware | 2 Spring Framework, Spring Framework | 2022-04-11 | 6.8 MEDIUM | 8.8 HIGH |
| When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack. | |||||