CVE-2017-4928

EPSS 0.17%
Published 17.11.2017 14:29:00
Last modified 20.04.2025 01:37:25
Source security@vmware.com
Teams watchlist Login
Open Login

The flash-based vSphere Web Client (6.0 prior to 6.0 U3c and 5.5 prior to 5.5 U3f) i.e. not the new HTML5-based vSphere Client, contains SSRF and CRLF injection issues due to improper neutralization of URLs. An attacker may exploit these issues by sending a POST request with modified headers towards internal services leading to information disclosure.

Affected products Warnungen 0 Metrics 3 CWE 2 References 6

Data is provided by the National Vulnerability Database (NVD)

VMware ≫ Vcenter Server Version5.5

VMware ≫ Vcenter Server Version5.5 Update1

VMware ≫ Vcenter Server Version5.5 Update1a

VMware ≫ Vcenter Server Version5.5 Update1b

VMware ≫ Vcenter Server Version5.5 Update1c

VMware ≫ Vcenter Server Version5.5 Update2

VMware ≫ Vcenter Server Version5.5 Update2b

VMware ≫ Vcenter Server Version5.5 Update2d

VMware ≫ Vcenter Server Version5.5 Update2e

VMware ≫ Vcenter Server Version5.5 Update3

VMware ≫ Vcenter Server Version5.5 Update3a

VMware ≫ Vcenter Server Version5.5 Update3b

VMware ≫ Vcenter Server Version5.5 Update3d

VMware ≫ Vcenter Server Version5.5 Update3e

VMware ≫ Vcenter Server Version5.5 Updateb

VMware ≫ Vcenter Server Version5.5 Updatec

VMware ≫ Vcenter Server Version6.0

VMware ≫ Vcenter Server Version6.0 Update1

VMware ≫ Vcenter Server Version6.0 Update1b

VMware ≫ Vcenter Server Version6.0 Update2

VMware ≫ Vcenter Server Version6.0 Update2a

VMware ≫ Vcenter Server Version6.0 Update2m

VMware ≫ Vcenter Server Version6.0 Update3

VMware ≫ Vcenter Server Version6.0 Update3a

VMware ≫ Vcenter Server Version6.0 Update3b

VMware ≫ Vcenter Server Version6.0 Updatea

VMware ≫ Vcenter Server Version6.0 Updateb

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.17%	0.383

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

http://www.securitytracker.com/id/1039759

Third Party Advisory

VDB Entry

https://www.vmware.com/security/advisories/VMSA-2017-0017.html

Patch

Vendor Advisory

http://www.securityfocus.com/bid/101785

Third Party Advisory

VDB Entry

https://nvd.nist.gov/vuln/detail/CVE-2017-4928

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-4928

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-4928

EUVD