CVE-2024-38811

VMware Fusion (13.x before 13.6) contains a code-execution vulnerability due to the usage of an insecure environment variable. A malicious actor with standard user privileges may exploit this vulnerability to execute code in the context of the Fusion application.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24939	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:vmware:fusion:*:*:*:*:*:*:*:*

History

17 Sep 2024, 13:33

Type	Values Removed	Values Added
First Time		Vmware fusion Vmware
CPE		cpe:2.3:a:vmware:fusion::::::::
References	~~() https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24939 -~~	() https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24939 - Vendor Advisory
CWE		NVD-CWE-noinfo
Summary		(es) VMware Fusion (13.x anterior a 13.6) contiene una vulnerabilidad de ejecución de código debido al uso de una variable de entorno insegura. Un actor malintencionado con privilegios de usuario estándar puede aprovechar esta vulnerabilidad para ejecutar código en el contexto de la aplicación Fusion.
CVSS	v2 : ~~unknown~~ v3 : ~~8.8~~	v2 : unknown v3 : 7.8

03 Sep 2024, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-03 10:15

Updated : 2024-09-17 13:33

NVD link : CVE-2024-38811

Mitre link : CVE-2024-38811

CVE.ORG link : CVE-2024-38811

JSON object : View

Products Affected

vmware

fusion

CWE

NVD-CWE-noinfo CWE-20

Improper Input Validation

{"id": "CVE-2024-38811", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "security@vmware.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.0}]}, "published": "2024-09-03T10:15:05.477", "references": [{"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24939", "tags": ["Vendor Advisory"], "source": "security@vmware.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "security@vmware.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "VMware Fusion (13.x before 13.6) contains a code-execution vulnerability due to the usage of an insecure environment variable.\u00a0A malicious actor with standard user privileges may exploit this vulnerability to execute code in the context of the Fusion application."}, {"lang": "es", "value": "VMware Fusion (13.x anterior a 13.6) contiene una vulnerabilidad de ejecuci\u00f3n de c\u00f3digo debido al uso de una variable de entorno insegura. Un actor malintencionado con privilegios de usuario est\u00e1ndar puede aprovechar esta vulnerabilidad para ejecutar c\u00f3digo en el contexto de la aplicaci\u00f3n Fusion."}], "lastModified": "2024-09-17T13:33:32.957", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vmware:fusion:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BF374027-E370-4C67-B45F-A35C8DE3A545", "versionEndExcluding": "13.6", "versionStartIncluding": "13.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@vmware.com"}