Vulnerabilities > CVE-2020-3956 - Expression Language Injection vulnerability in VMWare Vcloud Director
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
VMware Cloud Director 10.0.x before 10.0.0.2, 9.7.0.x before 9.7.0.5, 9.5.0.x before 9.5.0.6, and 9.1.0.x before 9.1.0.4 do not properly handle input leading to a code injection vulnerability. An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
| id | EDB-ID:48540 |
| last seen | 2020-06-03 |
| modified | 2020-06-02 |
| published | 2020-06-02 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/48540 |
| title | vCloud Director 9.7.0.15498291 - Remote Code Execution |
Nessus
| NASL family | Misc. |
| NASL id | VMWARE_CLOUD_DIRECTOR_VMSA-2020-0010.NASL |
| description | The version of VMware vCloud Director installed on the remote host is 9.1.x prior to 9.1.0.4, 9.5.x prior to 9.5.0.6, 9.7.x prior to 9.7.0.5, or 10.0.x prior to 10.0.0.2. It is, therefore, affected by a code injection vulnerability due to a failure to properly handle input. A remote, authenticated actor can exploit this, by sending malicious traffic to VMWare Cloud Director, in order to execute arbitrary code. Note that Nessus has not tested for this issue but has instead relied only on the application |
| last seen | 2020-05-31 |
| modified | 2020-05-21 |
| plugin id | 136746 |
| published | 2020-05-21 |
| reporter | This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
| source | https://www.tenable.com/plugins/nessus/136746 |
| title | VMware Cloud Director 9.1.x < 9.1.0.4 / 9.5.x < 9.5.0.6 / 9.7.x < 9.7.0.5 / 10.0.x < 10.0.0.2 Code Injection (VMSA-2020-0010) |
Packetstorm
data source https://packetstormsecurity.com/files/download/157945/vmwarevclouddir970-exec.txt id PACKETSTORM:157945 last seen 2020-06-05 published 2020-06-04 reporter Tomas Melicher source https://packetstormsecurity.com/files/157945/VMWare-vCloud-Director-9.7.0.15498291-Remote-Code-Execution.html title VMWare vCloud Director 9.7.0.15498291 Remote Code Execution data source https://packetstormsecurity.com/files/download/157909/vclouddirector970-exec.txt id PACKETSTORM:157909 last seen 2020-06-04 published 2020-06-02 reporter Tomas Melicher source https://packetstormsecurity.com/files/157909/vCloud-Director-9.7.0.15498291-Remote-Code-Execution.html title vCloud Director 9.7.0.15498291 Remote Code Execution
The Hacker News
| id | THN:B363D9388FA707DF636CA4F8E0FC08BA |
| last seen | 2020-06-02 |
| modified | 2020-06-02 |
| published | 2020-06-02 |
| reporter | The Hacker News |
| source | https://thehackernews.com/2020/06/vmware-cloud-director-exploit.html |
| title | Critical VMware Cloud Director Flaw Lets Hackers Take Over Corporate Servers |
Related news
References
- https://www.vmware.com/security/advisories/VMSA-2020-0010.html
- https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/
- https://github.com/aaronsvk/CVE-2020-3956
- http://packetstormsecurity.com/files/157909/vCloud-Director-9.7.0.15498291-Remote-Code-Execution.html