1. CVE-Search
  2. CVE-2017-4928
ID CVE-2017-4928
Summary The flash-based vSphere Web Client (6.0 prior to 6.0 U3c and 5.5 prior to 5.5 U3f) i.e. not the new HTML5-based vSphere Client, contains SSRF and CRLF injection issues due to improper neutralization of URLs. An attacker may exploit these issues by sending a POST request with modified headers towards internal services leading to information disclosure.
References
Vulnerable Configurations
  • cpe:2.3:a:vmware:vcenter_server:5.5:*:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server:5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server:5.5:1:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server:5.5:1:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server:5.5:1a:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server:5.5:1a:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server:5.5:1b:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server:5.5:1b:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server:5.5:1c:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server:5.5:1c:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server:5.5:2:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server:5.5:2:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server:5.5:2b:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server:5.5:2b:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server:5.5:2d:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server:5.5:2d:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server:5.5:2e:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server:5.5:2e:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server:5.5:3:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server:5.5:3:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server:5.5:3a:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server:5.5:3a:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server:5.5:3b:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server:5.5:3b:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server:5.5:3d:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server:5.5:3d:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server:5.5:3e:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server:5.5:3e:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server:5.5:b:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server:5.5:b:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server:5.5:c:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server:5.5:c:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server:6.0:*:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server:6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server:6.0:1:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server:6.0:1:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server:6.0:1b:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server:6.0:1b:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server:6.0:2:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server:6.0:2:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server:6.0:2a:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server:6.0:2a:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server:6.0:2m:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server:6.0:2m:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server:6.0:3:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server:6.0:3:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server:6.0:3a:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server:6.0:3a:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server:6.0:3b:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server:6.0:3b:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server:6.0:a:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server:6.0:a:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server:6.0:b:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server:6.0:b:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 30-10-2018 - 16:27)
Impact:
Exploitability:
CWE CWE-918
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:N/A:N
refmap via4
bid 101785
confirm https://www.vmware.com/security/advisories/VMSA-2017-0017.html
sectrack 1039759
Last major update 30-10-2018 - 16:27
Published 17-11-2017 - 14:29
Last modified 30-10-2018 - 16:27
Back to Top