CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-34060 – VMware Cloud Director 10.5 Authentication Bypass
https://notcve.org/view.php?id=CVE-2023-34060
VMware Cloud Director Appliance contains an authentication bypass vulnerability in case VMware Cloud Director Appliance was upgraded to 10.5 from an older version. On an upgraded version of VMware Cloud Director Appliance 10.5, a malicious actor with network access to the appliance can bypass login restrictions when authenticating on port 22 (ssh) or port 5480 (appliance management console) . This bypass is not present on port 443 (VCD provider and tenant login). On a new installation of VMware Cloud Director Appliance 10.5, the bypass is not present. VMware Cloud Director Appliance is impacted since it uses an affected version of sssd from the underlying Photon OS. • https://github.com/vmware/photon/wiki/Security-Update-3.0-687 https://github.com/vmware/photon/wiki/Security-Update-4.0-512 https://github.com/vmware/photon/wiki/Security-Update-5.0-143 https://www.vmware.com/security/advisories/VMSA-2023-0026.html • CWE-306: Missing Authentication for Critical Function •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-22055
https://notcve.org/view.php?id=CVE-2021-22055
The SchedulerServer in Vmware photon allows remote attackers to inject logs through \r in the package parameter. Attackers can also insert malicious data and fake entries. El SchedulerServer en Vmware photon permite a atacantes remotos inyectar registrosmedainte \r en el parámetro del paquete. Los atacantes también pueden insertar datos maliciosos y entradas falsas • https://github.com/vmware/photon/wiki/log_injection_vulnerability • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-22942 – kernel: failing usercopy allows for use-after-free exploitation
https://notcve.org/view.php?id=CVE-2022-22942
The vmwgfx driver contains a local privilege escalation vulnerability that allows unprivileged users to gain access to files opened by other processes on the system through a dangling 'file' pointer. El controlador vmwgfx contiene una vulnerabilidad de escalada de privilegios local que permite a los usuarios sin permisos obtener acceso a archivos abiertos por otros procesos en el sistema a través de un puntero de "archivo" colgante. A use-after-free flaw was found in the Linux kernel’s vmw_execbuf_copy_fence_user function in drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c in vmwgfx. This flaw allows a local attacker with user privileges to cause a privilege escalation problem. If the vmwgfx driver fails to copy the fence_rep object to userland, it tries to recover by deallocating the (already populated) file descriptor. • https://github.com/vmware/photon/wiki/Security-Update-3.0-356 https://github.com/vmware/photon/wiki/Security-Update-4.0-148 https://www.openwall.com/lists/oss-security/2022/01/27/4 https://access.redhat.com/security/cve/CVE-2022-22942 https://bugzilla.redhat.com/show_bug.cgi?id=2044809 • CWE-416: Use After Free •
CVSS: 8.2EPSS: 0%CPEs: 5EXPL: 0CVE-2020-10713 – grub2: Crafted grub.cfg file can lead to arbitrary code execution during boot process
https://notcve.org/view.php?id=CVE-2020-10713
A flaw was found in grub2, prior to version 2.06. An attacker may use the GRUB 2 flaw to hijack and tamper the GRUB verification process. This flaw also allows the bypass of Secure Boot protections. In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access. With this access, an attacker could then craft a string to cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within GRUB. • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00016.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00017.html http://www.openwall.com/lists/oss-security/2020/07/29/3 https://bugzilla.redhat.com/show_bug.cgi?id=1825243 https://cve.openeuler.org/#/CVEInfo/CVE-2020-10713 https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot https://kb.vmware.com/s/article/80181 https://security.gentoo.org/glsa/202104-05 https://security. • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 8.8EPSS: 88%CPEs: 7EXPL: 4CVE-2020-3956 – vCloud Director 9.7.0.15498291 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2020-3956
VMware Cloud Director 10.0.x before 10.0.0.2, 9.7.0.x before 9.7.0.5, 9.5.0.x before 9.5.0.6, and 9.1.0.x before 9.1.0.4 do not properly handle input leading to a code injection vulnerability. An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access. VMware Cloud Director versiones 10.0.x anteriores a 10.0.0.2, versiones 9.7.0.x anteriores a 9.7.0.5, versiones 9.5.0.x anteriores a 9.5.0.6 y versiones 9.1.0.x anteriores a 9.1.0.4, no manejan apropiadamente la entrada conllevando a una vulnerabilidad de inyección de código. Un actor autenticado puede ser capaz de enviar tráfico malicioso a VMware Cloud Director, lo que puede conllevar a una ejecución de código remota arbitraria. • https://www.exploit-db.com/exploits/48540 https://github.com/aaronsvk/CVE-2020-3956 http://packetstormsecurity.com/files/157909/vCloud-Director-9.7.0.15498291-Remote-Code-Execution.html https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956 https://www.vmware.com/security/advisories/VMSA-2020-0010.html • CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •