CVE-2016-7459 — XML External Entity (XXE) Injection in Vmware Vcenter Server

CWE-611 — XML External Entity (XXE) Injection4 documents4 sources

Severity

7.7HIGHNVD

EPSS

0.5%

top 32.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Vcenter Server

Timeline

PublishedDec 29

Latest updateMay 14

Description

VMware vCenter Server 5.5 before U3e and 6.0 before U2a allows remote authenticated users to read arbitrary files via a (1) Log Browser, (2) Distributed Switch setup, or (3) Content Library XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 3.1 | Impact: 4.0

Affected Packages1 packages

▶NVDvmware/vcenter_server5.0, 5.5, 6.0+2

Patches

Patch: www.vmware.com ↗Patch: www.vmware.com ↗

🔴Vulnerability Details

GHSA

GHSA-8xmw-6q27-4h39: VMware vCenter Server 5↗2022-05-14

▶

CVEList

CVE-2016-7459: VMware vCenter Server 5↗2016-12-29

▶

💬Community

Bugzilla

CVE-2013-7459 pycrypto: Heap-buffer overflow in ALGobject structure↗2017-01-03

▶