Vulnerabilities > CVE-2016-7462 - Exposed Dangerous Method or Function vulnerability in VMWare Vrealize Operations
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
NONE Integrity impact
LOW Availability impact
HIGH Summary
The Suite REST API in VMware vRealize Operations (aka vROps) 6.x before 6.4.0 allows remote authenticated users to write arbitrary content to files or rename files via a crafted DiskFileItem in a relay-request payload that is mishandled during deserialization.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 5 |
Common Weakness Enumeration (CWE)
Nessus
NASL family | CGI abuses |
NASL id | VMWARE_VREALIZE_OPERATIONS_MANAGER_V640_DESERIALIZATION.NASL |
description | The version of VMware vRealize Operations (vROps) Manager running on the remote web server is 6.x prior to 6.40. It is, therefore, affected by a flaw in the Suite API CollectorHttpRelayController component due to improper validation of DiskFileItem objects stored in the |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 95441 |
published | 2016-12-01 |
reporter | This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/95441 |
title | VMware vRealize Operations Manager ver 6.x < 6.40 Suite API CollectorHttpRelayController RelayRequest Object DiskFileItem Deserialization DoS |
References
- http://www.securityfocus.com/bid/94351
- http://www.securityfocus.com/bid/94351
- http://www.securitytracker.com/id/1037297
- http://www.securitytracker.com/id/1037297
- http://www.vmware.com/security/advisories/VMSA-2016-0020.html
- http://www.vmware.com/security/advisories/VMSA-2016-0020.html
- https://www.tenable.com/security/research/tra-2016-34
- https://www.tenable.com/security/research/tra-2016-34