Vulnerabilities > Vmware
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-10-20 | CVE-2023-34052 | Deserialization of Untrusted Data vulnerability in VMWare Aria Operations for Logs VMware Aria Operations for Logs contains a deserialization vulnerability. A malicious actor with non-administrative access to the local system can trigger the deserialization of data which could result in authentication bypass. | 7.8 |
| 2023-10-19 | CVE-2023-34050 | Deserialization of Untrusted Data vulnerability in VMWare Spring Advanced Message Queuing Protocol In spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class names were added to Spring AMQP, allowing users to lock down deserialization of data in messages from untrusted sources; however by default, when no allowed list was provided, all classes could be deserialized. Specifically, an application is vulnerable if * the SimpleMessageConverter or SerializerMessageConverter is used * the user does not configure allowed list patterns * untrusted message originators gain permissions to write messages to the RabbitMQ broker to send malicious content | 4.3 |
| 2023-09-27 | CVE-2023-34043 | Improper Privilege Management vulnerability in VMWare Aria Operations and Cloud Foundation VMware Aria Operations contains a local privilege escalation vulnerability. A malicious actor with administrative access to the local system can escalate privileges to 'root'. | 6.7 |
| 2023-09-20 | CVE-2023-34047 | Unspecified vulnerability in VMWare Spring for Graphql A batch loader function in Spring for GraphQL versions 1.1.0 - 1.1.5 and 1.2.0 - 1.2.2 may be exposed to GraphQL context with values, including security context values, from a different session. | 4.3 |
| 2023-08-31 | CVE-2023-20900 | Authentication Bypass by Capture-replay vulnerability in multiple products A malicious actor that has been granted Guest Operation Privileges https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html . | 7.5 |
| 2023-08-29 | CVE-2023-20890 | Path Traversal vulnerability in VMWare Aria Operations for Networks Aria Operations for Networks contains an arbitrary file write vulnerability. An authenticated malicious actor with administrative access to VMware Aria Operations for Networks can write files to arbitrary locations resulting in remote code execution. | 7.2 |
| 2023-08-29 | CVE-2023-34039 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in VMWare Aria Operations for Networks Aria Operations for Networks contains an Authentication Bypass vulnerability due to a lack of unique cryptographic key generation. A malicious actor with network access to Aria Operations for Networks could bypass SSH authentication to gain access to the Aria Operations for Networks CLI. | 9.8 |
| 2023-08-24 | CVE-2023-34040 | Deserialization of Untrusted Data vulnerability in VMWare Spring for Apache Kafka In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. | 7.8 |
| 2023-08-04 | CVE-2023-34037 | HTTP Request Smuggling vulnerability in VMWare Horizon Client VMware Horizon Server contains a HTTP request smuggling vulnerability. | 5.3 |
| 2023-08-04 | CVE-2023-34038 | Unspecified vulnerability in VMWare Horizon Client VMware Horizon Server contains an information disclosure vulnerability. | 5.3 |