Page 8 of 72 results (0.005 seconds)

CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 2

The vCenter Server contains multiple local privilege escalation vulnerabilities due to improper permissions of files and directories. An authenticated local user with non-administrative privilege may exploit these issues to elevate their privileges to root on vCenter Server Appliance. vCenter Server contiene múltiples vulnerabilidades de escalada de privilegios locales debido a permisos inapropiados de archivos y directorios. Un usuario local autenticado con privilegios no administrativos puede explotar estos problemas para elevar sus privilegios a root en vCenter Server Appliance This vulnerability allows local attackers to escalate privileges on affected installations of VMware vCenter Server Appliance. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the permissions of root-owned service files. The product sets incorrect permissions on sensitive files. • https://github.com/PenteraIO/vScalation-CVE-2021-22015 http://packetstormsecurity.com/files/170116/VMware-vCenter-vScalation-Privilege-Escalation.html https://www.vmware.com/security/advisories/VMSA-2021-0020.html • CWE-552: Files or Directories Accessible to External Parties •

CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0

The vCenter Server contains multiple denial-of-service vulnerabilities in VAPI (vCenter API) service. A malicious actor with network access to port 443 on vCenter Server may exploit these issues to create a denial of service condition due to excessive memory consumption by VAPI service. vCenter Server contiene múltiples vulnerabilidades de denegación de servicio en el servicio VAPI (vCenter API). Un actor malicioso con acceso a la red al puerto 443 de vCenter Server puede explotar estos problemas para crear una condición de denegación de servicio debido al consumo excesivo de memoria por parte del servicio VAPI This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of VMware vCenter Server Appliance. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of jsonrpc messages. A crafted request can trigger a file read operation of a blocking or slow character stream. • https://www.vmware.com/security/advisories/VMSA-2021-0020.html • CWE-668: Exposure of Resource to Wrong Sphere •

CVSS: 7.5EPSS: 2%CPEs: 4EXPL: 0

The vCenter Server contains an information disclosure vulnerability in VAPI (vCenter API) service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue by sending a specially crafted json-rpc message to gain access to sensitive information. vCenter Server contiene una vulnerabilidad de divulgación de información en el servicio VAPI (vCenter API). Un actor malicioso con acceso de red al puerto 443 en vCenter Server puede explotar este problema mediante el envío de un mensaje json-rpc especialmente diseñado para conseguir acceso a información confidencial This vulnerability allows remote attackers to disclose sensitive information on affected installations of VMware vCenter Server Appliance. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of jsonrpc messages. The issue results from the lack of proper authentication before processing messages. • https://www.vmware.com/security/advisories/VMSA-2021-0020.html •

CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0

The vRealize Operations Manager API (8.x prior to 8.5) contains a broken access control vulnerability leading to unauthenticated API access. An unauthenticated malicious actor with network access to the vRealize Operations Manager API can add new nodes to existing vROps cluster. La API de vRealize Operations Manager (versiones 8.x anteriores a 8.5) contiene una vulnerabilidad de control de acceso rota, conllevando a un acceso no autenticado a la API. Un actor malicioso no autenticado con acceso a la red de la API de vRealize Operations Manager puede añadir nuevos nodos a un clúster de vROps existente. • https://www.vmware.com/security/advisories/VMSA-2021-0018.html • CWE-287: Improper Authentication •

CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0

The vRealize Operations Manager API (8.x prior to 8.5) contains a Server Side Request Forgery in an end point. An unauthenticated malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack leading to information disclosure. La API de vRealize Operations Manager (versiones 8.x anteriores a 8.5) contiene una falsificación de petición del lado del servidor en un endpoint. Un actor malicioso no autenticado con acceso a la red a la API de vRealize Operations Manager puede realizar un ataque de tipo Server Side Request Forgery, conllevando a una divulgación de información. • https://www.vmware.com/security/advisories/VMSA-2021-0018.html • CWE-918: Server-Side Request Forgery (SSRF) •