Vulnerabilities > Vmware > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-10-25 | CVE-2023-34056 | Unspecified vulnerability in VMWare Vcenter Server vCenter Server contains a partial information disclosure vulnerability. A malicious actor with non-administrative privileges to vCenter Server may leverage this issue to access unauthorized data. | 4.3 |
| 2023-10-25 | CVE-2023-46118 | Resource Exhaustion vulnerability in VMWare Rabbitmq RabbitMQ is a multi-protocol messaging and streaming broker. | 4.9 |
| 2023-10-20 | CVE-2023-34044 | Out-of-bounds Read vulnerability in VMWare Fusion and Workstation VMware Workstation( 17.x prior to 17.5) and Fusion(13.x prior to 13.5) contain an out-of-bounds read vulnerability that exists in the functionality for sharing host Bluetooth devices with the virtual machine. A malicious actor with local administrative privileges on a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine. | 6.0 |
| 2023-10-19 | CVE-2023-34050 | Deserialization of Untrusted Data vulnerability in VMWare Spring Advanced Message Queuing Protocol In spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class names were added to Spring AMQP, allowing users to lock down deserialization of data in messages from untrusted sources; however by default, when no allowed list was provided, all classes could be deserialized. Specifically, an application is vulnerable if * the SimpleMessageConverter or SerializerMessageConverter is used * the user does not configure allowed list patterns * untrusted message originators gain permissions to write messages to the RabbitMQ broker to send malicious content | 4.3 |
| 2023-09-27 | CVE-2023-34043 | Improper Privilege Management vulnerability in VMWare Aria Operations and Cloud Foundation VMware Aria Operations contains a local privilege escalation vulnerability. A malicious actor with administrative access to the local system can escalate privileges to 'root'. | 6.7 |
| 2023-09-20 | CVE-2023-34047 | Unspecified vulnerability in VMWare Spring for Graphql A batch loader function in Spring for GraphQL versions 1.1.0 - 1.1.5 and 1.2.0 - 1.2.2 may be exposed to GraphQL context with values, including security context values, from a different session. | 4.3 |
| 2023-08-04 | CVE-2023-34037 | HTTP Request Smuggling vulnerability in VMWare Horizon Client VMware Horizon Server contains a HTTP request smuggling vulnerability. | 5.3 |
| 2023-08-04 | CVE-2023-34038 | Unspecified vulnerability in VMWare Horizon Client VMware Horizon Server contains an information disclosure vulnerability. | 5.3 |
| 2023-07-26 | CVE-2023-20891 | Information Exposure Through Log Files vulnerability in VMWare products The VMware Tanzu Application Service for VMs and Isolation Segment contain an information disclosure vulnerability due to the logging of credentials in hex encoding in platform system audit logs. A malicious non-admin user who has access to the platform system audit logs can access hex encoded CF API admin credentials and can push new malicious versions of an application. | 6.5 |
| 2023-07-18 | CVE-2023-34035 | Incorrect Authorization vulnerability in VMWare Spring Security Spring Security versions 5.8 prior to 5.8.5, 6.0 prior to 6.0.5, and 6.1 prior to 6.1.2 could be susceptible to authorization rule misconfiguration if the application uses requestMatchers(String) and multiple servlets, one of them being Spring MVC’s DispatcherServlet. (DispatcherServlet is a Spring MVC component that maps HTTP endpoints to methods on @Controller-annotated classes.) Specifically, an application is vulnerable when all of the following are true: * Spring MVC is on the classpath * Spring Security is securing more than one servlet in a single application (one of them being Spring MVC’s DispatcherServlet) * The application uses requestMatchers(String) to refer to endpoints that are not Spring MVC endpoints An application is not vulnerable if any of the following is true: * The application does not have Spring MVC on the classpath * The application secures no servlets other than Spring MVC’s DispatcherServlet * The application uses requestMatchers(String) only for Spring MVC endpoints | 5.3 |