7.5
CVE-2017-4928
- EPSS 1.24%
- Veröffentlicht 17.11.2017 14:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
- Quelle security@vmware.com
- CVE-Watchlists
- Unerledigt
The flash-based vSphere Web Client (6.0 prior to 6.0 U3c and 5.5 prior to 5.5 U3f) i.e. not the new HTML5-based vSphere Client, contains SSRF and CRLF injection issues due to improper neutralization of URLs. An attacker may exploit these issues by sending a POST request with modified headers towards internal services leading to information disclosure.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VMware ≫ vCenter Server Version5.5
VMware ≫ vCenter Server Version5.5 Update1
VMware ≫ vCenter Server Version5.5 Update1a
VMware ≫ vCenter Server Version5.5 Update1b
VMware ≫ vCenter Server Version5.5 Update1c
VMware ≫ vCenter Server Version5.5 Update2
VMware ≫ vCenter Server Version5.5 Update2b
VMware ≫ vCenter Server Version5.5 Update2d
VMware ≫ vCenter Server Version5.5 Update2e
VMware ≫ vCenter Server Version5.5 Update3
VMware ≫ vCenter Server Version5.5 Update3a
VMware ≫ vCenter Server Version5.5 Update3b
VMware ≫ vCenter Server Version5.5 Update3d
VMware ≫ vCenter Server Version5.5 Update3e
VMware ≫ vCenter Server Version5.5 Updateb
VMware ≫ vCenter Server Version5.5 Updatec
VMware ≫ vCenter Server Version6.0
VMware ≫ vCenter Server Version6.0 Update1
VMware ≫ vCenter Server Version6.0 Update1b
VMware ≫ vCenter Server Version6.0 Update2
VMware ≫ vCenter Server Version6.0 Update2a
VMware ≫ vCenter Server Version6.0 Update2m
VMware ≫ vCenter Server Version6.0 Update3
VMware ≫ vCenter Server Version6.0 Update3a
VMware ≫ vCenter Server Version6.0 Update3b
VMware ≫ vCenter Server Version6.0 Updatea
VMware ≫ vCenter Server Version6.0 Updateb
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.24% | 0.652 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:P/I:N/A:N
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
CWE-918 Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
http://www.securitytracker.com/id/1039759
https://www.vmware.com/security/advisories/VMSA-2017-0017.html
http://www.securityfocus.com/bid/101785