CVE-2022-31680

CWE-502 — Deserialization of Untrusted Data6 documents5 sources

Severity

9.1CRITICAL

EPSS

3.4%

top 12.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Vcenter Server

Timeline

PublishedOct 7

Latest updateOct 11

Description

The vCenter Server contains an unsafe deserialisation vulnerability in the PSC (Platform services controller). A malicious actor with admin access on vCenter server may exploit this issue to execute arbitrary code on the underlying operating system that hosts the vCenter Server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HExploitability: 2.3 | Impact: 6.0

Affected Packages2 packages

▶NVDvmware/vcenter_server< 6.5+1

▶CVEListV5vmware_vcenter_serverVMware vCenter Server 6.5 prior to U3u

🔴Vulnerability Details

GHSA

GHSA-5g3f-j849-rm6p: The vCenter Server contains an unsafe deserialisation vulnerability in the PSC (Platform services controller)↗2022-10-08

▶

CVEList

CVE-2022-31680: The vCenter Server contains an unsafe deserialisation vulnerability in the PSC (Platform services controller)↗2022-10-07

▶

📋Vendor Advisories

VMware

VMware ESXi and vCenter Server updates address multiple security vulnerabilities (CVE-2022-31680, CVE-2022-31681)↗2022-10-06

▶

🕵️Threat Intelligence

Talos

Vulnerability Spotlight: Data deserialization in VMware vCenter could lead to remote code execution↗2022-10-11

▶

Talos

Vulnerability Spotlight: Data deserialization in VMware vCenter could lead to remote code execution↗2022-10-11

▶