Vmware Vcenter Server vulnerabilities
94 known vulnerabilities affecting vmware/vcenter_server.
Total CVEs
94
CISA KEV
12
actively exploited
Public exploits
18
Exploited in wild
12
Severity breakdown
CRITICAL25HIGH32MEDIUM36LOW1
Vulnerabilities
Page 4 of 5
CVE-2017-4923CRITICALCVSS 9.8v6.52017-08-01
CVE-2017-4923 [CRITICAL] CWE-200 CVE-2017-4923: VMware vCenter Server (6.5 prior to 6.5 U1) contains an information disclosure vulnerability. This i
VMware vCenter Server (6.5 prior to 6.5 U1) contains an information disclosure vulnerability. This issue may allow plaintext credentials to be obtained when using the vCenter Server Appliance file-based backup feature.
nvd
CVE-2017-4921HIGHCVSS 8.8v6.52017-08-01
CVE-2017-4921 [HIGH] CVE-2017-4921: VMware vCenter Server (6.5 prior to 6.5 U1) contains an insecure library loading issue that occurs d
VMware vCenter Server (6.5 prior to 6.5 U1) contains an insecure library loading issue that occurs due to the use of LD_LIBRARY_PATH variable in an unsafe manner. Successful exploitation of this issue may allow unprivileged host users to load a shared library that may lead to privilege escalation.
nvd
CVE-2017-4922MEDIUMCVSS 6.5v6.52017-08-01
CVE-2017-4922 [MEDIUM] CWE-200 CVE-2017-4922: VMware vCenter Server (6.5 prior to 6.5 U1) contains an information disclosure issue due to the serv
VMware vCenter Server (6.5 prior to 6.5 U1) contains an information disclosure issue due to the service startup script using world writable directories as temporary storage for critical information. Successful exploitation of this issue may allow unprivileged host users to access certain critical information when the service gets restarted.
nvd
CVE-2017-4919CRITICALCVSS 9.0v5.5v6.0+1 more2017-07-28
CVE-2017-4919 [CRITICAL] CWE-306 CVE-2017-4919: VMware vCenter Server 5.5, 6.0, 6.5 allows vSphere users with certain, limited vSphere privileges to
VMware vCenter Server 5.5, 6.0, 6.5 allows vSphere users with certain, limited vSphere privileges to use the VIX API to access Guest Operating Systems without the need to authenticate.
nvd
CVE-2017-4914CRITICALCVSS 9.8PoC2017-06-06
CVE-2017-4914 [CRITICAL] vSphere Data Protection (VDP) updates address multiple security issues.
VMSA-2017-0010: vSphere Data Protection (VDP) updates address multiple security issues.
a. VDP Java deserialization issue VDP contains a deserialization issue. Exploitation of this issue may allow a remote attacker to execute commands on the appliance. VMware would like to thank Tim Roberts, Arthur Chilipweli, and Kelly Correll from NTT Security for reporting this issue to us. The Common Vulnerabili
vmware
CVE-2016-7459HIGHCVSS 7.7v5.0v5.5+1 more2016-12-29
CVE-2016-7459 [HIGH] CWE-611 CVE-2016-7459: VMware vCenter Server 5.5 before U3e and 6.0 before U2a allows remote authenticated users to read ar
VMware vCenter Server 5.5 before U3e and 6.0 before U2a allows remote authenticated users to read arbitrary files via a (1) Log Browser, (2) Distributed Switch setup, or (3) Content Library XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
nvd
CVE-2016-5331MEDIUMCVSS 6.1≤ 6.02016-08-08
CVE-2016-5331 [MEDIUM] CWE-93 CVE-2016-5331: CRLF injection vulnerability in VMware vCenter Server 6.0 before U2 and ESXi 6.0 allows remote attac
CRLF injection vulnerability in VMware vCenter Server 6.0 before U2 and ESXi 6.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
nvd
CVE-2015-6931MEDIUMCVSS 6.1v5.0v5.1+1 more2016-07-03
CVE-2015-6931 [MEDIUM] CWE-79 CVE-2015-6931: Cross-site scripting (XSS) vulnerability in the vSphere Web Client in VMware vCenter Server 5.0 befo
Cross-site scripting (XSS) vulnerability in the vSphere Web Client in VMware vCenter Server 5.0 before U3g, 5.1 before U3d, and 5.5 before U2d allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
nvd
CVE-2016-2078MEDIUMCVSS 6.1v5.1v5.5+2 more2016-06-08
CVE-2016-2078 [MEDIUM] CWE-79 CVE-2016-2078: Cross-site scripting (XSS) vulnerability in the Web Client in VMware vCenter Server 5.1 before updat
Cross-site scripting (XSS) vulnerability in the Web Client in VMware vCenter Server 5.1 before update 3d, 5.5 before update 3d, and 6.0 before update 2 on Windows allows remote attackers to inject arbitrary web script or HTML via the flashvars parameter.
nvd
CVE-2016-2077CRITICALCVSS 9.82016-05-17
CVE-2016-2077 [CRITICAL] VMware product updates address critical and important security issues.
VMSA-2016-0005: VMware product updates address critical and important security issues.
a. Critical JMX issue when deserializing authentication credentials The RMI server of Oracle JRE JMX deserializes any class when deserializing authentication credentials. This may allow a remote, unauthenticated attacker to cause deserialization flaws and execute their commands. Workarounds CVE-2016-3427 vCenter Se
vmware
CVE-2016-2076HIGHCVSS 7.6≤ 6.0v5.52016-04-15
CVE-2016-2076 [HIGH] CWE-287 CVE-2016-2076: Client Integration Plugin (CIP) in VMware vCenter Server 5.5 U3a, U3b, and U3c and 6.0 before U2; vC
Client Integration Plugin (CIP) in VMware vCenter Server 5.5 U3a, U3b, and U3c and 6.0 before U2; vCloud Director 5.5.5; and vRealize Automation Identity Appliance 6.2.4 before 6.2.4.1 mishandles session content, which allows remote attackers to hijack sessions via a crafted web site.
nvd
CVE-2015-2342CRITICALCVSS 10.0PoCv5.0v5.1+2 more2015-10-12
CVE-2015-2342 [CRITICAL] CVE-2015-2342: The JMX RMI service in VMware vCenter Server 5.0 before u3e, 5.1 before u3b, 5.5 before u3, and 6.0
The JMX RMI service in VMware vCenter Server 5.0 before u3e, 5.1 before u3b, 5.5 before u3, and 6.0 before u1 does not restrict registration of MBeans, which allows remote attackers to execute arbitrary code via the RMI protocol.
nvd
CVE-2015-1047MEDIUMCVSS 5.0v5.0v5.1+1 more2015-10-12
CVE-2015-1047 [MEDIUM] CWE-20 CVE-2015-1047: vpxd in VMware vCenter Server 5.0 before u3e, 5.1 before u3, and 5.5 before u2 allows remote attacke
vpxd in VMware vCenter Server 5.0 before u3e, 5.1 before u3, and 5.5 before u2 allows remote attackers to cause a denial of service via a long heartbeat message.
nvd
CVE-2015-6932MEDIUMCVSS 5.8v5.5v6.02015-09-18
CVE-2015-6932 [MEDIUM] CWE-310 CVE-2015-6932: VMware vCenter Server 5.5 before u3 and 6.0 before u1 does not verify X.509 certificates from TLS LD
VMware vCenter Server 5.5 before u3 and 6.0 before u1 does not verify X.509 certificates from TLS LDAP servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
nvd
CVE-2014-4632MEDIUMCVSS 4.32015-01-29
CVE-2014-4632 [MEDIUM] VMware vSphere Data Protection product update addresses a certificate validation vulnerability.
VMSA-2015-0002: VMware vSphere Data Protection product update addresses a certificate validation vulnerability.
a. VMware vSphere Data Protection certificate validation vulnerability VMware vSphere Data Protection (VDP) does not fully validate SSL certificates coming from vCenter Server. This issue may allow a Man-in-the-Middle attack that enables the attacker to perform unauth
vmware
CVE-2014-8373CRITICALCVSS 9.02014-12-09
CVE-2014-8373 [CRITICAL] VMware vCloud Automation Center product updates address a critical remote privilege escalation vulnerability
VMSA-2014-0013: VMware vCloud Automation Center product updates address a critical remote privilege escalation vulnerability
a. VMware vCloud Automation Center remote privilege escalation VMware vCloud Automation Center has a remote privilege escalation vulnerability. This issue may allow an authenticated vCAC user to obtain administrative access to vCenter Serve
vmware
CVE-2014-6271CRITICALCVSS 9.8KEVPoC2014-09-30
CVE-2014-6271 [CRITICAL] VMware product updates address critical Bash security vulnerabilities
VMSA-2014-0010: VMware product updates address critical Bash security vulnerabilities
a. Bash update for multiple products. Bash libraries have been updated in multiple products to resolve multiple critical security issues, also referred to as Shellshock. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2
vmware
CVE-2014-4241MEDIUMCVSS 4.3PoCv5.0v5.1+1 more2014-07-17
CVE-2014-4241 [MEDIUM] CVE-2014-4241: Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0 and 10.3.6.0 allows remote attackers to affect integrity via vectors related to WLS - Web Services.
nvd
CVE-2014-1209CRITICALCVSS 9.32014-04-10
CVE-2014-1209 [CRITICAL] VMware vSphere Client updates address security vulnerabilities
VMSA-2014-0003: VMware vSphere Client updates address security vulnerabilities
a. vSphere Client Insecure Client Download vSphere Client contains a vulnerability in accepting an updated vSphere Client file from an untrusted source. The vulnerability may allow a host to direct vSphere Client to download and execute an arbitrary file from any URI. This issue can be exploited if the host has been compromised or
vmware
CVE-2014-1207MEDIUMCVSS 4.32014-01-16
CVE-2014-1207 [MEDIUM] VMware Workstation, Player, Fusion, ESXi, ESX and vCloud Director address several security issues
VMSA-2014-0001: VMware Workstation, Player, Fusion, ESXi, ESX and vCloud Director address several security issues
a. VMware ESXi and ESX NFC NULL pointer dereference VMware ESXi and ESX contain a NULL pointer dereference in the handling of the Network File Copy (NFC) traffic. To exploit this vulnerability, an attacker must intercept and modify the NFC traffic between ESXi/ESX
vmware