CVE-2010-1139

CWE-134 — Uncontrolled Format String4 documents4 sources

Severity

7.2HIGH

EPSS

0.1%

top 77.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Fusion Vmware Player Vmware Server +2 more

Timeline

PublishedApr 12

Latest updateMay 2

Description

Format string vulnerability in vmrun in VMware VIX API 1.6.x, VMware Workstation 6.5.x before 6.5.4 build 246459, VMware Player 2.5.x before 2.5.4 build 246459, and VMware Server 2.x on Linux, and VMware Fusion 2.x before 2.0.7 build 246742, allows local users to gain privileges via format string specifiers in process metadata.

CVSS vector

AV:L/AC:L/C:C/I:C/A:CExploitability: 3.9 | Impact: 10.0

Affected Packages5 packages

▶NVDvmware/fusion7 versions+6

▶NVDvmware/player4 versions+3

▶NVDvmware/server2.0.0, 2.0.1, 2.0.2+2

▶NVDvmware/workstation4 versions+3

▶NVDvmware/vix_api1.6.0, 1.6.1+1

Patches

Patch: lists.vmware.com ↗Patch: www.vmware.com ↗Patch: lists.vmware.com ↗

🔴Vulnerability Details

GHSA

GHSA-3jcj-m65j-r72c: Format string vulnerability in vmrun in VMware VIX API 1↗2022-05-02

▶

CVEList

CVE-2010-1139: Format string vulnerability in vmrun in VMware VIX API 1↗2010-04-12

▶