CVE-2020-3994

VMware vCenter Server (6.7 before 6.7u3, 6.6 before 6.5u3k) contains a session hijack vulnerability in the vCenter Server Appliance Management Interface update function due to a lack of certificate validation. A malicious actor with network positioning between vCenter Server and an update repository may be able to perform a session hijack when the vCenter Server Appliance Management Interface is used to download vCenter updates.

CVSS v3 7.4 HIGH
CVSS v2.0 5.8 MEDIUM

7.4^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:N

Exploitability : 8.6 / Impact : 4.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://www.vmware.com/security/advisories/VMSA-2020-0023.html	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:vmware:cloud_foundation::::::::
	cpe:2.3:a:vmware:vcenter_server:6.5:-::::::
	cpe:2.3:a:vmware:vcenter_server:6.5:a::::::
	cpe:2.3:a:vmware:vcenter_server:6.5:b::::::
	cpe:2.3:a:vmware:vcenter_server:6.5:c::::::
	cpe:2.3:a:vmware:vcenter_server:6.5:d::::::
	cpe:2.3:a:vmware:vcenter_server:6.5:e::::::
	cpe:2.3:a:vmware:vcenter_server:6.5:f::::::
	cpe:2.3:a:vmware:vcenter_server:6.5:update1::::::
	cpe:2.3:a:vmware:vcenter_server:6.5:update1b::::::
	cpe:2.3:a:vmware:vcenter_server:6.5:update1c::::::
	cpe:2.3:a:vmware:vcenter_server:6.5:update1d::::::
	cpe:2.3:a:vmware:vcenter_server:6.5:update1e::::::
	cpe:2.3:a:vmware:vcenter_server:6.5:update1g::::::
	cpe:2.3:a:vmware:vcenter_server:6.5:update2::::::
	cpe:2.3:a:vmware:vcenter_server:6.5:update2b::::::
	cpe:2.3:a:vmware:vcenter_server:6.5:update2c::::::
	cpe:2.3:a:vmware:vcenter_server:6.5:update2d::::::
	cpe:2.3:a:vmware:vcenter_server:6.5:update2g::::::
	cpe:2.3:a:vmware:vcenter_server:6.5:update3::::::
	cpe:2.3:a:vmware:vcenter_server:6.5:update3d::::::
	cpe:2.3:a:vmware:vcenter_server:6.7:-::::::
	cpe:2.3:a:vmware:vcenter_server:6.7:a::::::
	cpe:2.3:a:vmware:vcenter_server:6.7:b::::::
	cpe:2.3:a:vmware:vcenter_server:6.7:d::::::
	cpe:2.3:a:vmware:vcenter_server:6.7:update1::::::
	cpe:2.3:a:vmware:vcenter_server:6.7:update1b::::::
	cpe:2.3:a:vmware:vcenter_server:6.7:update2::::::
	cpe:2.3:a:vmware:vcenter_server:6.7:update2a::::::
	cpe:2.3:a:vmware:vcenter_server:6.7:update2c::::::

History

24 Aug 2021, 10:44

Type	Values Removed	Values Added
CPE	cpe:2.3:a:vmware:vcenter_server:6.5:u2b:::::: cpe:2.3:a:vmware:vcenter_server:6.5:u3d:::::: cpe:2.3:a:vmware:vcenter_server:6.5:u2c:::::: cpe:2.3:a:vmware:vcenter_server:6.5:u2:::::: cpe:2.3:a:vmware:vcenter_server:6.5:u3:::::: cpe:2.3:a:vmware:vcenter_server:6.5:1c:::::: cpe:2.3:a:vmware:vcenter_server:6.5:1b:::::: cpe:2.3:a:vmware:vcenter_server:6.5:u1g:::::: cpe:2.3:a:vmware:vcenter_server:6.5:u1d:::::: cpe:2.3:a:vmware:vcenter_server:6.5:1:::::: cpe:2.3:a:vmware:vcenter_server:6.5:u2d:::::: cpe:2.3:a:vmware:vcenter_server:6.5:u2g:::::: cpe:2.3:a:vmware:vcenter_server:6.5:u1e::::::	cpe:2.3:a:vmware:vcenter_server:6.5:update1c:::::: cpe:2.3:a:vmware:vcenter_server:6.5:update3d:::::: cpe:2.3:a:vmware:vcenter_server:6.5:update1b:::::: cpe:2.3:a:vmware:vcenter_server:6.5:update2b:::::: cpe:2.3:a:vmware:vcenter_server:6.5:update2d:::::: cpe:2.3:a:vmware:vcenter_server:6.5:update1e:::::: cpe:2.3:a:vmware:vcenter_server:6.5:update1g:::::: cpe:2.3:a:vmware:vcenter_server:6.5:update3:::::: cpe:2.3:a:vmware:vcenter_server:6.5:update2g:::::: cpe:2.3:a:vmware:vcenter_server:6.5:update1d:::::: cpe:2.3:a:vmware:vcenter_server:6.5:update1:::::: cpe:2.3:a:vmware:vcenter_server:6.5:update2:::::: cpe:2.3:a:vmware:vcenter_server:6.5:update2c::::::

Information

Published : 2020-10-20 17:15

Updated : 2024-02-04 21:23

NVD link : CVE-2020-3994

Mitre link : CVE-2020-3994

CVE.ORG link : CVE-2020-3994

JSON object : View

Products Affected

vmware

cloud_foundation
vcenter_server

CWE

CWE-295

Improper Certificate Validation

7.4 /10

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.8 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2020-3994

7.4^/10

5.8^/10

Attach tags to `CVE-2020-3994`