Vulnerabilities > CVE-2016-7462 - Exposed Dangerous Method or Function vulnerability in VMWare Vrealize Operations

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

COMPLETE

network

low complexity

vmware

CWE-749

nessus

NVD

Published: 2016-12-29

Updated: 2017-07-28

Summary

The Suite REST API in VMware vRealize Operations (aka vROps) 6.x before 6.4.0 allows remote authenticated users to write arbitrary content to files or rename files via a crafted DiskFileItem in a relay-request payload that is mishandled during deserialization.

Vulnerable Configurations

Part	Description	Count
Application	Vmware Vmware Vrealize Operations 6.0.0 Vmware Vrealize Operations 6.1.0 Vmware Vrealize Operations 6.2.0A Vmware Vrealize Operations 6.2.1 Vmware Vrealize Operations 6.3.0	5

Common Weakness Enumeration (CWE)

CWE-749 - Exposed Dangerous Method or Function

Nessus

NASL family	CGI abuses
NASL id	VMWARE_VREALIZE_OPERATIONS_MANAGER_V640_DESERIALIZATION.NASL
description	The version of VMware vRealize Operations (vROps) Manager running on the remote web server is 6.x prior to 6.40. It is, therefore, affected by a flaw in the Suite API CollectorHttpRelayController component due to improper validation of DiskFileItem objects stored in the
last seen	2020-06-01
modified	2020-06-02
plugin id	95441
published	2016-12-01
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/95441
title	VMware vRealize Operations Manager ver 6.x < 6.40 Suite API CollectorHttpRelayController RelayRequest Object DiskFileItem Deserialization DoS

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

References