Vulnerabilities > CVE-2022-22977 - XXE vulnerability in VMWare Tools

CVSS 7.1 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

HIGH

local

low complexity

vmware

CWE-611

NVD

Published: 2022-05-24

Updated: 2022-06-09

Summary

VMware Tools for Windows(12.0.0, 11.x.y and 10.x.y) contains an XML External Entity (XXE) vulnerability. A malicious actor with non-administrative local user privileges in the Windows guest OS, where VMware Tools is installed, may exploit this issue leading to a denial-of-service condition or unintended information disclosure.

Vulnerable Configurations

Part	Description	Count
Application	Vmware Vmware Tools 10.0.0 Vmware Tools 10.0.5 Vmware Tools 10.0.6 Vmware Tools 10.0.8 Vmware Tools 10.0.9 Vmware Tools 10.0.12 Vmware Tools 10.1 Vmware Tools 10.1.0 Vmware Tools 10.1.5 Vmware Tools 10.1.7 Vmware Tools 10.1.10 Vmware Tools 10.1.15 Vmware Tools 10.2 Vmware Tools 10.2.1 Vmware Tools 10.2.5 Vmware Tools 10.3.0 Vmware Tools 10.3.2 Vmware Tools 10.3.5 Vmware Tools 10.3.10 Vmware Tools 10.3.20 Vmware Tools 10.3.21 Vmware Tools 10.3.22 Vmware Tools 11.0.0 Vmware Tools 11.0.1 Vmware Tools 11.0.5 Vmware Tools 11.1.0 Vmware Tools 11.1.1 Vmware Tools 11.1.5 Vmware Tools 11.2.0 Vmware Tools 11.2.1 Vmware Tools 11.2.5 Vmware Tools 11.2.6 Vmware Tools 11.3.0 Vmware Tools *	34
OS	Microsoft Microsoft Windows -	1

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

References

https://www.vmware.com/security/advisories/VMSA-2022-0015.html