CVSS: 3.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10228 – Vagrant VMWare Utility installation files vulnerable to modification by unprivileged user
https://notcve.org/view.php?id=CVE-2024-10228
The Vagrant VMWare Utility Windows installer targeted a custom location with a non-protected path that could be modified by an unprivileged user, introducing potential for unauthorized file system writes. This vulnerability, CVE-2024-10228, was fixed in Vagrant VMWare Utility 1.0.23 El instalador de Windows de Vagrant VMWare Utility apuntaba a una ubicación personalizada con una ruta no protegida que podía ser modificada por un usuario sin privilegios, lo que generaba la posibilidad de escrituras no autorizadas en el sistema de archivos. Esta vulnerabilidad, CVE-2024-10228, se corrigió en Vagrant VMWare Utility 1.0.23 • https://discuss.hashicorp.com/t/hcsec-2024-25-vagrant-vmware-utility-installation-files-vulnerable-to-modification-by-unprivileged-user • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5834 – Vagrant’s Windows Installer Allowed Directory Junction Write
https://notcve.org/view.php?id=CVE-2023-5834
HashiCorp Vagrant's Windows installer targeted a custom location with a non-protected path that could be junctioned, introducing potential for unauthorized file system writes. Fixed in Vagrant 2.4.0. El instalador HashiCorp Vagrant de Windows apuntó a una ubicación personalizada con una ruta no protegida que podía unirse, lo que introdujo la posibilidad de escrituras no autorizadas en el sistema de archivos. Corregido en Vagrant 2.4.0. • https://discuss.hashicorp.com/t/hcsec-2023-31-vagrant-s-windows-installer-allowed-directory-junction-write/59568 • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-1386: Insecure Operation on Windows Junction / Mount Point •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-42717
https://notcve.org/view.php?id=CVE-2022-42717
An issue was discovered in Hashicorp Packer before 2.3.1. The recommended sudoers configuration for Vagrant on Linux is insecure. If the host has been configured according to this documentation, non-privileged users on the host can leverage a wildcard in the sudoers configuration to execute arbitrary commands as root. Se ha detectado un problema en Hashicorp Packer versiones anteriores a 2.3.1. La configuración de sudoers recomendada para Vagrant en Linux es insegura. • https://discuss.hashicorp.com/t/hcsec-2022-23-vagrant-nfs-sudoers-configuration-allows-for-local-privilege-escalation/45423 https://github.com/hashicorp/vagrant/pull/12910 https://www.vagrantup.com/docs/synced-folders/nfs •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2017-16512
https://notcve.org/view.php?id=CVE-2017-16512
The vagrant update process in Hashicorp vagrant-vmware-fusion 5.0.2 through 5.0.4 allows local users to steal root privileges via a crafted update request when no updates are available. El proceso de actualización vagrant en Hashicorp vagrant-vmware-fusion, de la versión 5.0.2 a la 5.0.4, permite que usuarios locales roben privilegios root mediante una petición manipulada de actualización cuando no hay ninguna actualización disponible. • https://m4.rkw.io/blog/cve201716512-hashicorp-vagrantvmwarefusion-v502504-local-root.html • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 1CVE-2017-16839
https://notcve.org/view.php?id=CVE-2017-16839
Hashicorp vagrant-vmware-fusion 5.0.4 allows local users to steal root privileges if VMware Fusion is not installed. Hashicorp vagrant-vmware-fusion 5.0.4 permite que usuarios locales roben privilegios root si VMware Fusion no está instalado. • https://m4.rkw.io/blog/cve201716839-hashicorp-vagrantvmwarefusion-v504-local-root.html •