Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities found for gemfire by vmware
CVE-2020-5396 (GCVE-0-2020-5396)
Vulnerability from cvelistv5 – Published: 2020-07-31 19:40 – Updated: 2024-09-16 16:23
VLAI
Title
JMX Insecure Default Configuration in GemFire
Summary
VMware GemFire versions prior to 9.10.0, 9.9.2, 9.8.7, and 9.7.6, and VMware Tanzu GemFire for VMs versions prior to 1.11.1 and 1.10.2, when deployed without a SecurityManager, contain a JMX service available which contains an insecure default configuration. This allows a malicious user to create an MLet mbean leading to remote code execution.
Severity
No CVSS data available.
CWE
- CWE-284 - Improper Access Control - Generic
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://tanzu.vmware.com/security/cve-2020-5396 | x_refsource_CONFIRM |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| VMware Tanzu | VMware Tanzu GemFire for VMs |
Affected:
1.10 , < 1.10.2
(custom)
Affected: 1.11 , < 1.11.1 (custom) |
|
| VMware Tanzu | VMware GemFire |
Affected:
9.7 , < 9.7.6
(custom)
Affected: 9.8 , < 9.8.7 (custom) Affected: 9.9 , < 9.9.2 (custom) Affected: 9.10 , < 9.10.0 (custom) |
Date Public
2020-07-30 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:30:24.241Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://tanzu.vmware.com/security/cve-2020-5396"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VMware Tanzu GemFire for VMs",
"vendor": "VMware Tanzu",
"versions": [
{
"lessThan": "1.10.2",
"status": "affected",
"version": "1.10",
"versionType": "custom"
},
{
"lessThan": "1.11.1",
"status": "affected",
"version": "1.11",
"versionType": "custom"
}
]
},
{
"product": "VMware GemFire",
"vendor": "VMware Tanzu",
"versions": [
{
"lessThan": "9.7.6",
"status": "affected",
"version": "9.7",
"versionType": "custom"
},
{
"lessThan": "9.8.7",
"status": "affected",
"version": "9.8",
"versionType": "custom"
},
{
"lessThan": "9.9.2",
"status": "affected",
"version": "9.9",
"versionType": "custom"
},
{
"lessThan": "9.10.0",
"status": "affected",
"version": "9.10",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-07-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "VMware GemFire versions prior to 9.10.0, 9.9.2, 9.8.7, and 9.7.6, and VMware Tanzu GemFire for VMs versions prior to 1.11.1 and 1.10.2, when deployed without a SecurityManager, contain a JMX service available which contains an insecure default configuration. This allows a malicious user to create an MLet mbean leading to remote code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control - Generic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-31T19:40:19.000Z",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://tanzu.vmware.com/security/cve-2020-5396"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "JMX Insecure Default Configuration in GemFire",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2020-07-30T23:27:40.000Z",
"ID": "CVE-2020-5396",
"STATE": "PUBLIC",
"TITLE": "JMX Insecure Default Configuration in GemFire"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "VMware Tanzu GemFire for VMs",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.10",
"version_value": "1.10.2"
},
{
"version_affected": "\u003c",
"version_name": "1.11",
"version_value": "1.11.1"
}
]
}
},
{
"product_name": "VMware GemFire",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "9.7",
"version_value": "9.7.6"
},
{
"version_affected": "\u003c",
"version_name": "9.8",
"version_value": "9.8.7"
},
{
"version_affected": "\u003c",
"version_name": "9.9",
"version_value": "9.9.2"
},
{
"version_affected": "\u003c",
"version_name": "9.10",
"version_value": "9.10.0"
}
]
}
}
]
},
"vendor_name": "VMware Tanzu"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "VMware GemFire versions prior to 9.10.0, 9.9.2, 9.8.7, and 9.7.6, and VMware Tanzu GemFire for VMs versions prior to 1.11.1 and 1.10.2, when deployed without a SecurityManager, contain a JMX service available which contains an insecure default configuration. This allows a malicious user to create an MLet mbean leading to remote code execution."
}
]
},
"impact": null,
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284: Improper Access Control - Generic"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://tanzu.vmware.com/security/cve-2020-5396",
"refsource": "CONFIRM",
"url": "https://tanzu.vmware.com/security/cve-2020-5396"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2020-5396",
"datePublished": "2020-07-31T19:40:19.558Z",
"dateReserved": "2020-01-03T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:23:21.490Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11286 (GCVE-0-2019-11286)
Vulnerability from cvelistv5 – Published: 2020-07-31 19:40 – Updated: 2024-09-16 23:46
VLAI
Title
JMX Credential Deserialization in GemFire
Summary
VMware GemFire versions prior to 9.10.0, 9.9.1, 9.8.5, and 9.7.5, and VMware Tanzu GemFire for VMs versions prior to 1.11.0, 1.10.1, 1.9.2, and 1.8.2, contain a JMX service available to the network which does not properly restrict input. A remote authenticated malicious user may request against the service with a crafted set of credentials leading to remote code execution.
Severity
9 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://tanzu.vmware.com/security/cve-2019-11286 | x_refsource_CONFIRM |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| VMware Tanzu | VMware GemFire |
Affected:
9.7 , < 9.7.5
(custom)
Affected: 9.8 , < 9.8.5 (custom) Affected: 9.9 , < 9.9.1 (custom) Affected: 9.10 , < 9.10.0 (custom) |
|
| VMware Tanzu | VMware Tanzu GemFire for VMs |
Affected:
1.9 , < 1.9.2
(custom)
Affected: 1.10 , < 1.10.1 (custom) Affected: 1.8 , < 1.8.2 (custom) Affected: 1.11 , < 1.11.0 (custom) |
Date Public
2020-07-30 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:48:09.058Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://tanzu.vmware.com/security/cve-2019-11286"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VMware GemFire",
"vendor": "VMware Tanzu",
"versions": [
{
"lessThan": "9.7.5",
"status": "affected",
"version": "9.7",
"versionType": "custom"
},
{
"lessThan": "9.8.5",
"status": "affected",
"version": "9.8",
"versionType": "custom"
},
{
"lessThan": "9.9.1",
"status": "affected",
"version": "9.9",
"versionType": "custom"
},
{
"lessThan": "9.10.0",
"status": "affected",
"version": "9.10",
"versionType": "custom"
}
]
},
{
"product": "VMware Tanzu GemFire for VMs",
"vendor": "VMware Tanzu",
"versions": [
{
"lessThan": "1.9.2",
"status": "affected",
"version": "1.9",
"versionType": "custom"
},
{
"lessThan": "1.10.1",
"status": "affected",
"version": "1.10",
"versionType": "custom"
},
{
"lessThan": "1.8.2",
"status": "affected",
"version": "1.8",
"versionType": "custom"
},
{
"lessThan": "1.11.0",
"status": "affected",
"version": "1.11",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-07-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "VMware GemFire versions prior to 9.10.0, 9.9.1, 9.8.5, and 9.7.5, and VMware Tanzu GemFire for VMs versions prior to 1.11.0, 1.10.1, 1.9.2, and 1.8.2, contain a JMX service available to the network which does not properly restrict input. A remote authenticated malicious user may request against the service with a crafted set of credentials leading to remote code execution."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-31T19:40:19.000Z",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://tanzu.vmware.com/security/cve-2019-11286"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "JMX Credential Deserialization in GemFire",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2020-07-30T23:27:23.000Z",
"ID": "CVE-2019-11286",
"STATE": "PUBLIC",
"TITLE": "JMX Credential Deserialization in GemFire"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "VMware GemFire",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "9.7",
"version_value": "9.7.5"
},
{
"version_affected": "\u003c",
"version_name": "9.8",
"version_value": "9.8.5"
},
{
"version_affected": "\u003c",
"version_name": "9.9",
"version_value": "9.9.1"
},
{
"version_affected": "\u003c",
"version_name": "9.10",
"version_value": "9.10.0"
}
]
}
},
{
"product_name": "VMware Tanzu GemFire for VMs",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.9",
"version_value": "1.9.2"
},
{
"version_affected": "\u003c",
"version_name": "1.10",
"version_value": "1.10.1"
},
{
"version_affected": "\u003c",
"version_name": "1.8",
"version_value": "1.8.2"
},
{
"version_affected": "\u003c",
"version_name": "1.11",
"version_value": "1.11.0"
}
]
}
}
]
},
"vendor_name": "VMware Tanzu"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "VMware GemFire versions prior to 9.10.0, 9.9.1, 9.8.5, and 9.7.5, and VMware Tanzu GemFire for VMs versions prior to 1.11.0, 1.10.1, 1.9.2, and 1.8.2, contain a JMX service available to the network which does not properly restrict input. A remote authenticated malicious user may request against the service with a crafted set of credentials leading to remote code execution."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-502: Deserialization of Untrusted Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://tanzu.vmware.com/security/cve-2019-11286",
"refsource": "CONFIRM",
"url": "https://tanzu.vmware.com/security/cve-2019-11286"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2019-11286",
"datePublished": "2020-07-31T19:40:19.094Z",
"dateReserved": "2019-04-18T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:46:18.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11286 (GCVE-0-2019-11286)
Vulnerability from nvd – Published: 2020-07-31 19:40 – Updated: 2024-09-16 23:46
VLAI
Title
JMX Credential Deserialization in GemFire
Summary
VMware GemFire versions prior to 9.10.0, 9.9.1, 9.8.5, and 9.7.5, and VMware Tanzu GemFire for VMs versions prior to 1.11.0, 1.10.1, 1.9.2, and 1.8.2, contain a JMX service available to the network which does not properly restrict input. A remote authenticated malicious user may request against the service with a crafted set of credentials leading to remote code execution.
Severity
9 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://tanzu.vmware.com/security/cve-2019-11286 | x_refsource_CONFIRM |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| VMware Tanzu | VMware GemFire |
Affected:
9.7 , < 9.7.5
(custom)
Affected: 9.8 , < 9.8.5 (custom) Affected: 9.9 , < 9.9.1 (custom) Affected: 9.10 , < 9.10.0 (custom) |
|
| VMware Tanzu | VMware Tanzu GemFire for VMs |
Affected:
1.9 , < 1.9.2
(custom)
Affected: 1.10 , < 1.10.1 (custom) Affected: 1.8 , < 1.8.2 (custom) Affected: 1.11 , < 1.11.0 (custom) |
Date Public
2020-07-30 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:48:09.058Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://tanzu.vmware.com/security/cve-2019-11286"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VMware GemFire",
"vendor": "VMware Tanzu",
"versions": [
{
"lessThan": "9.7.5",
"status": "affected",
"version": "9.7",
"versionType": "custom"
},
{
"lessThan": "9.8.5",
"status": "affected",
"version": "9.8",
"versionType": "custom"
},
{
"lessThan": "9.9.1",
"status": "affected",
"version": "9.9",
"versionType": "custom"
},
{
"lessThan": "9.10.0",
"status": "affected",
"version": "9.10",
"versionType": "custom"
}
]
},
{
"product": "VMware Tanzu GemFire for VMs",
"vendor": "VMware Tanzu",
"versions": [
{
"lessThan": "1.9.2",
"status": "affected",
"version": "1.9",
"versionType": "custom"
},
{
"lessThan": "1.10.1",
"status": "affected",
"version": "1.10",
"versionType": "custom"
},
{
"lessThan": "1.8.2",
"status": "affected",
"version": "1.8",
"versionType": "custom"
},
{
"lessThan": "1.11.0",
"status": "affected",
"version": "1.11",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-07-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "VMware GemFire versions prior to 9.10.0, 9.9.1, 9.8.5, and 9.7.5, and VMware Tanzu GemFire for VMs versions prior to 1.11.0, 1.10.1, 1.9.2, and 1.8.2, contain a JMX service available to the network which does not properly restrict input. A remote authenticated malicious user may request against the service with a crafted set of credentials leading to remote code execution."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-31T19:40:19.000Z",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://tanzu.vmware.com/security/cve-2019-11286"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "JMX Credential Deserialization in GemFire",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2020-07-30T23:27:23.000Z",
"ID": "CVE-2019-11286",
"STATE": "PUBLIC",
"TITLE": "JMX Credential Deserialization in GemFire"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "VMware GemFire",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "9.7",
"version_value": "9.7.5"
},
{
"version_affected": "\u003c",
"version_name": "9.8",
"version_value": "9.8.5"
},
{
"version_affected": "\u003c",
"version_name": "9.9",
"version_value": "9.9.1"
},
{
"version_affected": "\u003c",
"version_name": "9.10",
"version_value": "9.10.0"
}
]
}
},
{
"product_name": "VMware Tanzu GemFire for VMs",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.9",
"version_value": "1.9.2"
},
{
"version_affected": "\u003c",
"version_name": "1.10",
"version_value": "1.10.1"
},
{
"version_affected": "\u003c",
"version_name": "1.8",
"version_value": "1.8.2"
},
{
"version_affected": "\u003c",
"version_name": "1.11",
"version_value": "1.11.0"
}
]
}
}
]
},
"vendor_name": "VMware Tanzu"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "VMware GemFire versions prior to 9.10.0, 9.9.1, 9.8.5, and 9.7.5, and VMware Tanzu GemFire for VMs versions prior to 1.11.0, 1.10.1, 1.9.2, and 1.8.2, contain a JMX service available to the network which does not properly restrict input. A remote authenticated malicious user may request against the service with a crafted set of credentials leading to remote code execution."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-502: Deserialization of Untrusted Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://tanzu.vmware.com/security/cve-2019-11286",
"refsource": "CONFIRM",
"url": "https://tanzu.vmware.com/security/cve-2019-11286"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2019-11286",
"datePublished": "2020-07-31T19:40:19.094Z",
"dateReserved": "2019-04-18T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:46:18.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5396 (GCVE-0-2020-5396)
Vulnerability from nvd – Published: 2020-07-31 19:40 – Updated: 2024-09-16 16:23
VLAI
Title
JMX Insecure Default Configuration in GemFire
Summary
VMware GemFire versions prior to 9.10.0, 9.9.2, 9.8.7, and 9.7.6, and VMware Tanzu GemFire for VMs versions prior to 1.11.1 and 1.10.2, when deployed without a SecurityManager, contain a JMX service available which contains an insecure default configuration. This allows a malicious user to create an MLet mbean leading to remote code execution.
Severity
No CVSS data available.
CWE
- CWE-284 - Improper Access Control - Generic
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://tanzu.vmware.com/security/cve-2020-5396 | x_refsource_CONFIRM |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| VMware Tanzu | VMware Tanzu GemFire for VMs |
Affected:
1.10 , < 1.10.2
(custom)
Affected: 1.11 , < 1.11.1 (custom) |
|
| VMware Tanzu | VMware GemFire |
Affected:
9.7 , < 9.7.6
(custom)
Affected: 9.8 , < 9.8.7 (custom) Affected: 9.9 , < 9.9.2 (custom) Affected: 9.10 , < 9.10.0 (custom) |
Date Public
2020-07-30 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:30:24.241Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://tanzu.vmware.com/security/cve-2020-5396"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VMware Tanzu GemFire for VMs",
"vendor": "VMware Tanzu",
"versions": [
{
"lessThan": "1.10.2",
"status": "affected",
"version": "1.10",
"versionType": "custom"
},
{
"lessThan": "1.11.1",
"status": "affected",
"version": "1.11",
"versionType": "custom"
}
]
},
{
"product": "VMware GemFire",
"vendor": "VMware Tanzu",
"versions": [
{
"lessThan": "9.7.6",
"status": "affected",
"version": "9.7",
"versionType": "custom"
},
{
"lessThan": "9.8.7",
"status": "affected",
"version": "9.8",
"versionType": "custom"
},
{
"lessThan": "9.9.2",
"status": "affected",
"version": "9.9",
"versionType": "custom"
},
{
"lessThan": "9.10.0",
"status": "affected",
"version": "9.10",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-07-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "VMware GemFire versions prior to 9.10.0, 9.9.2, 9.8.7, and 9.7.6, and VMware Tanzu GemFire for VMs versions prior to 1.11.1 and 1.10.2, when deployed without a SecurityManager, contain a JMX service available which contains an insecure default configuration. This allows a malicious user to create an MLet mbean leading to remote code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control - Generic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-31T19:40:19.000Z",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://tanzu.vmware.com/security/cve-2020-5396"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "JMX Insecure Default Configuration in GemFire",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2020-07-30T23:27:40.000Z",
"ID": "CVE-2020-5396",
"STATE": "PUBLIC",
"TITLE": "JMX Insecure Default Configuration in GemFire"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "VMware Tanzu GemFire for VMs",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.10",
"version_value": "1.10.2"
},
{
"version_affected": "\u003c",
"version_name": "1.11",
"version_value": "1.11.1"
}
]
}
},
{
"product_name": "VMware GemFire",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "9.7",
"version_value": "9.7.6"
},
{
"version_affected": "\u003c",
"version_name": "9.8",
"version_value": "9.8.7"
},
{
"version_affected": "\u003c",
"version_name": "9.9",
"version_value": "9.9.2"
},
{
"version_affected": "\u003c",
"version_name": "9.10",
"version_value": "9.10.0"
}
]
}
}
]
},
"vendor_name": "VMware Tanzu"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "VMware GemFire versions prior to 9.10.0, 9.9.2, 9.8.7, and 9.7.6, and VMware Tanzu GemFire for VMs versions prior to 1.11.1 and 1.10.2, when deployed without a SecurityManager, contain a JMX service available which contains an insecure default configuration. This allows a malicious user to create an MLet mbean leading to remote code execution."
}
]
},
"impact": null,
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284: Improper Access Control - Generic"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://tanzu.vmware.com/security/cve-2020-5396",
"refsource": "CONFIRM",
"url": "https://tanzu.vmware.com/security/cve-2020-5396"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2020-5396",
"datePublished": "2020-07-31T19:40:19.558Z",
"dateReserved": "2020-01-03T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:23:21.490Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}