Vmware Vcenter Server vulnerabilities

CVE-2013-5973 [MEDIUM] VMware ESXi and ESX unauthorized file access through vCenter Server and ESX VMSA-2013-0016: VMware ESXi and ESX unauthorized file access through vCenter Server and ESX a. VMware ESXi and ESX unauthorized file access through vCenter Server and ESX VMware ESXi and ESX contain a vulnerability in the handling of certain Virtual Machine file descriptors. This issue may allow an unprivileged vCenter Server user with the privilege “Add Existing Disk" to obtain read and write acc

CVE-2013-5971 [MEDIUM] CWE-264 CVE-2013-5971: Session fixation vulnerability in the vSphere Web Client Server in VMware vCenter Server 5.0 before Session fixation vulnerability in the vSphere Web Client Server in VMware vCenter Server 5.0 before Update 3 allows remote attackers to hijack web sessions and gain privileges via unspecified vectors.

CVE-2013-1661 [MEDIUM] VMware ESXi and ESX address an NFC Protocol Unhandled Exception VMSA-2013-0011: VMware ESXi and ESX address an NFC Protocol Unhandled Exception a. VMware ESXi and ESX NFC Protocol Unhandled Exception VMware ESXi and ESX contain a vulnerability in the handling of the Network File Copy (NFC) protocol. To exploit this vulnerability, an attacker must intercept and modify the NFC traffic between ESXi/ESX and the client. Exploitation of the issue may lead to a Denial of Service

CVE-2012-2337 [HIGH] VMware security updates for vCenter Server VMSA-2013-0006: VMware security updates for vCenter Server a. vCenter Server AD anonymous LDAP binding credential by-pass vCenter Server when deployed in an environment that uses Active Directory (AD) with anonymous LDAP binding enabled doesn't properly handle login credentials. In this environment, authenticating to vCenter Server with a valid user name and a blank password may be successful even if a non-blank password is require

CVE-2013-1659 [HIGH] CVE-2013-1659: VMware vCenter Server 4.0 before Update 4b, 5.0 before Update 2, and 5.1 before 5.1.0b; VMware ESXi VMware vCenter Server 4.0 before Update 4b, 5.0 before Update 2, and 5.1 before 5.1.0b; VMware ESXi 3.5 through 5.1; and VMware ESX 3.5 through 4.1 do not properly implement the Network File Copy (NFC) protocol, which allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption) by modifying the client-server data

CVE-2012-6326 [HIGH] CWE-119 CVE-2012-6326: VMware vCenter Server 4.1 before Update 3 and 5.0 before Update 2, and vCSA 5.0 before Update 2, all VMware vCenter Server 4.1 before Update 3 and 5.0 before Update 2, and vCSA 5.0 before Update 2, allows remote attackers to cause a denial of service (disk consumption) via vectors that trigger large log entries.

CVE-2013-1405 [CRITICAL] CWE-287 CVE-2013-1405: VMware vCenter Server 4.0 before Update 4b and 4.1 before Update 3a, VMware VirtualCenter 2.5, VMwar VMware vCenter Server 4.0 before Update 4b and 4.1 before Update 3a, VMware VirtualCenter 2.5, VMware vSphere Client 4.0 before Update 4b and 4.1 before Update 3a, VMware VI-Client 2.5, VMware ESXi 3.5 through 4.1, and VMware ESX 3.5 through 4.1 do not properly implement the management authentication protocol, which allow remote servers to execute a

CVE-2009-5029 [MEDIUM] VMware security updates for vCSA, vCenter Server, and ESXi VMSA-2012-0018: VMware security updates for vCSA, vCenter Server, and ESXi a. vCenter Server Appliance directory traversal The vCenter Server Appliance (vCSA) contains a directory traversal vulnerability that allows an authenticated remote user to retrieve arbitrary files. Exploitation of this issue may expose sensitive information stored on the server. VMware would like to thank Alexander Minozhenko from ERPScan

CVE-2012-3569 [HIGH] VMware Hosted Products and OVF Tool address security issues VMSA-2012-0015: VMware Hosted Products and OVF Tool address security issues a. VMware Workstation and Player Weak permissions on process threads vulnerability. Certain processes when created have weak security permissions assigned. It is possible to commandeer these process threads, which could result in Elevation of Privilege in the context of the host. VMware would like to thank Derek Soeder of Cylance, Inc. for

CVE-2010-2928 [LOW] CWE-255 CVE-2010-2928: The vCenter Tomcat Management Application in VMware vCenter Server 4.1 before Update 1 stores log-on The vCenter Tomcat Management Application in VMware vCenter Server 4.1 before Update 1 stores log-on credentials in a configuration file, which allows local users to gain privileges by reading this file.

CVE-2009-1564 [HIGH] VMware hosted products, vCenter Server and ESX patches resolve multiple security issues VMSA-2010-0007: VMware hosted products, vCenter Server and ESX patches resolve multiple security issues a. Windows-based VMware Tools Unsafe Library Loading vulnerability A vulnerability in the way VMware libraries are referenced allows for arbitrary code execution in the context of the logged on user. This vulnerability is present only on Windows Guest Operating Systems. In order for an

CVE-2009-2698 [HIGH] CWE-476 CVE-2009-2698: The udp_sendmsg function in the UDP implementation in (1) net/ipv4/udp.c and (2) net/ipv6/udp.c in t The udp_sendmsg function in the UDP implementation in (1) net/ipv4/udp.c and (2) net/ipv6/udp.c in the Linux kernel before 2.6.19 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving the MSG_MORE flag and a UDP socket.

CVE-2009-2416 [MEDIUM] CWE-416 CVE-2009-2416: Multiple use-after-free vulnerabilities in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and l Multiple use-after-free vulnerabilities in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allow context-dependent attackers to cause a denial of service (application crash) via crafted (1) Notation or (2) Enumeration attribute types in an XML file, as demonstrated by the Codenomicon XML fuzzing framework.

CVE-2009-1072 [MEDIUM] CWE-16 CVE-2009-1072: nfsd in the Linux kernel before 2.6.28.9 does not drop the CAP_MKNOD capability before handling a us nfsd in the Linux kernel before 2.6.28.9 does not drop the CAP_MKNOD capability before handling a user request in a thread, which allows local users to create device nodes, as demonstrated on a filesystem that has been exported with the root_squash option.