CVE-2019-5531

CWE-613 — Insufficient Session Expiration4 documents4 sources

Severity

5.4MEDIUM

EPSS

0.4%

top 40.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Vmware Vcenter Server Vmware Vmware Vsphere Esxi Vmware Esxi +2 more

Timeline

PublishedSep 18

Latest updateMay 24

Description

VMware vSphere ESXi (6.7 prior to ESXi670-201810101-SG, 6.5 prior to ESXi650-201811102-SG, and 6.0 prior to ESXi600-201807103-SG) and VMware vCenter Server (6.7 prior to 6.7 U1b, 6.5 prior to 6.5 U2b, and 6.0 prior to 6.0 U3j) contain an information disclosure vulnerability in clients arising from insufficient session expiration. An attacker with physical access or an ability to mimic a websocket connection to a user’s browser may be able to obtain control of a VM Console after the user has logg…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages5 packages

▶NVDvmware/vsphere_esxi6.0, 6.5, 6.7+2

▶NVDvmware/vcenter_server6.0, 6.5, 6.7+2

▶CVEListV5vmware/vmware_vsphere_esxi6.0 prior to ESXi600-201807103-SG, 6.5 prior to ESXi650-201811102-SG, 6.7 prior to ESXi670-201810101-SG+2

▶CVEListV5vmware/vmware_vcenter_server6.0 prior to 6.0 U3j, 6.5 prior to 6.5 U2b, 6.7 prior to 6.7 U1b+2

▶NVDvmware/esxi6.7

🔴Vulnerability Details

GHSA

GHSA-7623-hj89-p4cw: VMware vSphere ESXi (6↗2022-05-24

▶

CVEList

CVE-2019-5531: VMware vSphere ESXi (6↗2019-09-18

▶

📋Vendor Advisories

VMware

VMware ESXi and vCenter Server updates address command injection and information disclosure vulnerabilities. (CVE-2017-16544, CVE-2019-5531, CVE-2019-5532, CVE-2019-5534)↗2019-09-16

▶