Vulnerabilities > CVE-2019-5533 - Incorrect Authorization vulnerability in VMWare Sd-Wan BY Velocloud

CVSS 4.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

LOW

Integrity impact

NONE

Availability impact

NONE

network

low complexity

vmware

CWE-863

NVD

Published: 2019-10-29

Updated: 2020-08-24

Summary

In VMware SD-WAN by VeloCloud versions 3.x prior to 3.3.0, the VeloCloud Orchestrator parameter authorization check mistakenly allows enterprise users to obtain information of Managed Service Provider accounts. Among the information is username, first and last name, phone numbers and e-mail address if present but no other personal data. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 4.3.

Vulnerable Configurations

Part	Description	Count
Application	Vmware Vmware SD WAN BY Velocloud 3.1.1 Vmware SD WAN BY Velocloud 3.1.2 Vmware SD WAN BY Velocloud 3.2.0 Vmware SD WAN BY Velocloud 3.2.1 Vmware SD WAN BY Velocloud 3.2.2	5

Common Weakness Enumeration (CWE)

CWE-863 - Incorrect Authorization

Packetstorm

data source	https://packetstormsecurity.com/files/download/154892/CSNC-2019-007.txt
id	PACKETSTORM:154892
last seen	2019-10-18
published	2019-10-17
reporter	Silas Baertsch
source	https://packetstormsecurity.com/files/154892/VMware-VeloCloud-3.3.0-3.2.2-Authorization-Bypass.html
title	VMware VeloCloud 3.3.0 / 3.2.2 Authorization Bypass

References

https://www.vmware.com/security/advisories/VMSA-2019-0017.html