CVSS: 7.8EPSS: 13%CPEs: 2EXPL: 6CVE-2024-37081 – VMware vCenter Sudo Privilege Escalation
https://notcve.org/view.php?id=CVE-2024-37081
18 Jun 2024 — The vCenter Server contains multiple local privilege escalation vulnerabilities due to misconfiguration of sudo. An authenticated local user with non-administrative privileges may exploit these issues to elevate privileges to root on vCenter Server Appliance. vCenter Server contiene múltiples vulnerabilidades de escalada de privilegios locales debido a una mala configuración de sudo. Un usuario local autenticado con privilegios no administrativos puede aprovechar estos problemas para elevar los privilegios ... • https://packetstorm.news/files/id/182981 • CWE-556: ASP.NET Misconfiguration: Use of Identity Impersonation •
CVSS: 10.0EPSS: 5%CPEs: 2EXPL: 0CVE-2024-37080
https://notcve.org/view.php?id=CVE-2024-37080
18 Jun 2024 — vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution. vCenter Server contiene una vulnerabilidad de desbordamiento de montón en la implementación del protocolo DCERPC. Un actor malintencionado con acceso a la red de vCenter Server puede desencadenar esta vulnerabilidad al enviar un paqu... • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453 • CWE-122: Heap-based Buffer Overflow •
CVSS: 10.0EPSS: 24%CPEs: 3EXPL: 0CVE-2024-37079
https://notcve.org/view.php?id=CVE-2024-37079
18 Jun 2024 — vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution. vCenter Server contiene una vulnerabilidad de desbordamiento de montón en la implementación del protocolo DCERPC. Un actor malintencionado con acceso a la red de vCenter Server puede desencadenar esta vulnerabilidad al enviar un paqu... • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453 • CWE-787: Out-of-bounds Write •
CVSS: 8.3EPSS: 0%CPEs: 5EXPL: 0CVE-2024-22273
https://notcve.org/view.php?id=CVE-2024-22273
21 May 2024 — The storage controllers on VMware ESXi, Workstation, and Fusion have out-of-bounds read/write vulnerability. A malicious actor with access to a virtual machine with storage controllers enabled may exploit this issue to create a denial of service condition or execute code on the hypervisor from a virtual machine in conjunction with other issues. Los controladores de almacenamiento en VMware ESXi, Workstation y Fusion tienen una vulnerabilidad de lectura/escritura fuera de los límites. Un actor malintencionad... • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24308 • CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-22270 – VMware Workstation hgfsVMCI_fileread Use of Uninitialized Variable Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2024-22270
14 May 2024 — VMware Workstation and Fusion contain an information disclosure vulnerability in the Host Guest File Sharing (HGFS) functionality. A malicious actor with local administrative privileges on a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine. VMware Workstation y Fusion contienen una vulnerabilidad de divulgación de información en la funcionalidad Host Guest File Sharing (HGFS). Un actor malintencionado con privilegios administrativos locales en ... • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24280 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-22269 – VMware Workstation UrbBuf_getDataBuf Uninitialized Variable Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2024-22269
14 May 2024 — VMware Workstation and Fusion contain an information disclosure vulnerability in the vbluetooth device. A malicious actor with local administrative privileges on a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine. VMware Workstation y Fusion contienen una vulnerabilidad de divulgación de información en el dispositivo vbluetooth. Un actor malintencionado con privilegios administrativos locales en una máquina virtual puede leer información privil... • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24280 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-22267 – VMWare Workstation VBluetoothHCI_PacketOut Use-After-Free Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2024-22267
14 May 2024 — VMware Workstation and Fusion contain a use-after-free vulnerability in the vbluetooth device. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. VMware Workstation y Fusion contienen una vulnerabilidad de use-after-free en el dispositivo vbluetooth. Un actor malintencionado con privilegios administrativos locales en una máquina virtual puede aprovechar este problema para ejecutar código... • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24280 • CWE-416: Use After Free •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22264 – VMware Avi Load Balancer updates address multiple vulnerabilities
https://notcve.org/view.php?id=CVE-2024-22264
08 May 2024 — VMware Avi Load Balancer contains a privilege escalation vulnerability. A malicious actor with admin privileges on VMware Avi Load Balancer can create, modify, execute and delete files as a root user on the host system. VMware Avi Load Balancer contiene una vulnerabilidad de escalada de privilegios. Un actor malintencionado con privilegios de administrador en VMware Avi Load Balancer puede crear, modificar, ejecutar y eliminar archivos como usuario root en el sistema host. VMware Avi Load Balancer contains ... • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24219 • CWE-269: Improper Privilege Management •
CVSS: 8.1EPSS: 4%CPEs: 1EXPL: 1CVE-2024-22262 – CVE-2024-22262: Spring Framework URL Parsing with Host Validation
https://notcve.org/view.php?id=CVE-2024-22262
16 Apr 2024 — Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input. Las aplica... • https://github.com/Performant-Labs/CVE-2024-22262 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22247
https://notcve.org/view.php?id=CVE-2024-22247
02 Apr 2024 — VMware SD-WAN Edge contains a missing authentication and protection mechanism vulnerability. A malicious actor with physical access to the SD-WAN Edge appliance during activation can potentially exploit this vulnerability to access the BIOS configuration. In addition, the malicious actor may be able to exploit the default boot priority configured. VMware SD-WAN Edge contiene una vulnerabilidad de mecanismo de autenticación y protección faltante. Un actor malintencionado con acceso físico al dispositivo SD-W... • https://www.vmware.com/security/advisories/VMSA-2024-0008.html • CWE-287: Improper Authentication •