Information Disclosure Vulnerability in VMware vSphere ESXi and vCenter Server
CVE-2019-5531

5.4MEDIUM

Key Information:

Vendor: Vmware
Status: Vmware Vsphere Esxi; Vmware Vcenter Server
Vendor: CVE Published:; 18 September 2019

Summary

VMware vSphere ESXi and vCenter Server contain an information disclosure vulnerability caused by insufficient session expiration. This flaw can allow an attacker with physical access or the capability to mimic a websocket connection to a user’s browser to gain control of a VM Console after the user has logged out or their session has timed out. This necessitates swift updates to mitigate potential unauthorized access.

Affected Version(s)

VMware vCenter Server 6.7 prior to 6.7 U1b

VMware vCenter Server 6.5 prior to 6.5 U2b

VMware vCenter Server 6.0 prior to 6.0 U3j

References

http://www.vmware.com/security/advisories/VMSA-2019-0013....

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Sep 18, 2019
Vulnerability Reserved
Jan 7, 2019