Security News > 2020 > June > VMware Cloud Director vulnerability enables a full cloud infrastructure takeover

VMware Cloud Director vulnerability enables a full cloud infrastructure takeover
2020-06-02 09:11

A code injection vulnerability affecting VMware vCloud Director could be exploited to take over the infrastructure of cloud services, Citadelo researchers have discovered.

VMware Cloud Director is a cloud service delivery platform used by public and private cloud providers to operate and manage cloud infrastructure.

CVE-2020-3956 was discovered by Citadelo penetration testers during a security audit of a customer's VMWare Cloud Director-based cloud infrastructure.

"An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access," VMware explained in a security advisory published on May 19, after the company finished releasing patches for several versions of vCloud Director.

VMware Cloud Director v10.1.0 and vCloud Director versions 9.0.x and 8.x are not affected by the flaw.


News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/1d8nWK-i3mA/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-05-20 CVE-2020-3956 Expression Language Injection vulnerability in VMWare Vcloud Director
VMware Cloud Director 10.0.x before 10.0.0.2, 9.7.0.x before 9.7.0.5, 9.5.0.x before 9.5.0.6, and 9.1.0.x before 9.1.0.4 do not properly handle input leading to a code injection vulnerability.
network
low complexity
vmware CWE-917
8.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Vmware 146 11 222 256 102 591