Filtered by vendor Vmware
Subscriptions
Total
956 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-4895 | 1 Vmware | 2 Airwatch Agent, Airwatch Inbox | 2025-04-20 | N/A |
| Airwatch Agent for Android contains a vulnerability that may allow a device to bypass root detection. Successful exploitation of this issue may result in an enrolled device having unrestricted access over local Airwatch security controls and data. | ||||
| CVE-2014-3527 | 1 Vmware | 1 Spring Security | 2025-04-20 | N/A |
| When using the CAS Proxy ticket authentication from Spring Security 3.1 to 3.2.4 a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. This is due to the fact that the proxy ticket authentication uses the information from the HttpServletRequest which is populated based upon untrusted information within the HTTP request. This means if there are access control restrictions on which CAS services can authenticate to one another, those restrictions can be bypassed. If users are not using CAS Proxy tickets and not basing access control decisions based upon the CAS Service, then there is no impact to users. | ||||
| CVE-2015-5211 | 2 Debian, Vmware | 2 Debian Linux, Spring Framework | 2025-04-20 | 9.6 Critical |
| Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response. | ||||
| CVE-2017-4905 | 2 Apple, Vmware | 6 Mac Os X, Esxi, Fusion and 3 more | 2025-04-20 | 5.5 Medium |
| VMware ESXi 6.5 without patch ESXi650-201703410-SG, 6.0 U3 without patch ESXi600-201703401-SG, 6.0 U2 without patch ESXi600-201703403-SG, 6.0 U1 without patch ESXi600-201703402-SG, 5.5 without patch ESXi550-201703401-SG; Workstation Pro / Player 12.x prior to 12.5.5; and Fusion Pro / Fusion 8.x prior to 8.5.6 have uninitialized memory usage. This issue may lead to an information leak. | ||||
| CVE-2016-9879 | 3 Ibm, Redhat, Vmware | 4 Websphere Application Server, Jboss Amq, Jboss Fuse and 1 more | 2025-04-20 | N/A |
| An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed. Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath(), and getPathInfo(). Users of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified. Users of IBM WebSphere Application Server 8.5.x are known to be affected. Users of other containers that implement the Servlet specification may be affected. | ||||
| CVE-2017-4904 | 2 Apple, Vmware | 6 Mac Os X, Esxi, Fusion and 3 more | 2025-04-20 | 8.8 High |
| The XHCI controller in VMware ESXi 6.5 without patch ESXi650-201703410-SG, 6.0 U3 without patch ESXi600-201703401-SG, 6.0 U2 without patch ESXi600-201703403-SG, 6.0 U1 without patch ESXi600-201703402-SG, and 5.5 without patch ESXi550-201703401-SG; Workstation Pro / Player 12.x prior to 12.5.5; and Fusion Pro / Fusion 8.x prior to 8.5.6 has uninitialized memory usage. This issue may allow a guest to execute code on the host. The issue is reduced to a Denial of Service of the guest on ESXi 5.5. | ||||
| CVE-2014-0097 | 1 Vmware | 1 Spring Security | 2025-04-20 | N/A |
| The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password. | ||||
| CVE-2017-4914 | 1 Vmware | 1 Vsphere Data Protection | 2025-04-20 | N/A |
| VMware vSphere Data Protection (VDP) 6.1.x, 6.0.x, 5.8.x, and 5.5.x contains a deserialization issue. Exploitation of this issue may allow a remote attacker to execute commands on the appliance. | ||||
| CVE-2017-4900 | 1 Vmware | 2 Workstation Player, Workstation Pro | 2025-04-20 | N/A |
| VMware Workstation Pro/Player 12.x before 12.5.3 contains a NULL pointer dereference vulnerability that exists in the SVGA driver. Successful exploitation of this issue may allow attackers with normal user privileges to crash their VMs. | ||||
| CVE-2017-4933 | 2 Apple, Vmware | 4 Mac Os X, Esxi, Fusion and 1 more | 2025-04-20 | 8.8 High |
| VMware ESXi (6.5 before ESXi650-201710401-BG), Workstation (12.x before 12.5.8), and Fusion (8.x before 8.5.9) contain a vulnerability that could allow an authenticated VNC session to cause a heap overflow via a specific set of VNC packets resulting in heap corruption. Successful exploitation of this issue could result in remote code execution in a virtual machine via the authenticated VNC session. Note: In order for exploitation to be possible in ESXi, VNC must be manually enabled in a virtual machine's .vmx configuration file. In addition, ESXi must be configured to allow VNC traffic through the built-in firewall. | ||||
| CVE-2017-4898 | 1 Vmware | 2 Workstation Player, Workstation Pro | 2025-04-20 | N/A |
| VMware Workstation Pro/Player 12.x before 12.5.3 contains a DLL loading vulnerability that occurs due to the "vmware-vmx" process loading DLLs from a path defined in the local environment-variable. Successful exploitation of this issue may allow normal users to escalate privileges to System in the host machine where VMware Workstation is installed. | ||||
| CVE-2017-4921 | 1 Vmware | 1 Vcenter Server | 2025-04-20 | N/A |
| VMware vCenter Server (6.5 prior to 6.5 U1) contains an insecure library loading issue that occurs due to the use of LD_LIBRARY_PATH variable in an unsafe manner. Successful exploitation of this issue may allow unprivileged host users to load a shared library that may lead to privilege escalation. | ||||
| CVE-2015-5258 | 2 Fedoraproject, Vmware | 2 Fedora, Spring Social | 2025-04-20 | 8.8 High |
| Cross-site request forgery (CSRF) vulnerability in springframework-social before 1.1.3. | ||||
| CVE-2016-2173 | 2 Fedoraproject, Vmware | 2 Fedora, Spring Advanced Message Queuing Protocol | 2025-04-20 | 9.8 Critical |
| org.springframework.core.serializer.DefaultDeserializer in Spring AMQP before 1.5.5 allows remote attackers to execute arbitrary code. | ||||
| CVE-2017-4925 | 2 Apple, Vmware | 5 Mac Os X, Esxi, Fusion and 2 more | 2025-04-20 | 5.5 Medium |
| VMware ESXi 6.5 without patch ESXi650-201707101-SG, ESXi 6.0 without patch ESXi600-201706101-SG, ESXi 5.5 without patch ESXi550-201709101-SG, Workstation (12.x before 12.5.3), Fusion (8.x before 8.5.4) contain a NULL pointer dereference vulnerability. This issue occurs when handling guest RPC requests. Successful exploitation of this issue may allow attackers with normal user privileges to crash their VMs. | ||||
| CVE-2017-4940 | 1 Vmware | 1 Esxi | 2025-04-20 | 6.1 Medium |
| The ESXi Host Client in VMware ESXi (6.5 before ESXi650-201712103-SG, 5.5 before ESXi600-201711103-SG and 5.5 before ESXi550-201709102-SG) contains a vulnerability that may allow for stored cross-site scripting (XSS). An attacker can exploit this vulnerability by injecting Javascript, which might get executed when other users access the Host Client. | ||||
| CVE-2017-4907 | 1 Vmware | 2 Horizon View, Unified Access Gateway | 2025-04-20 | N/A |
| VMware Unified Access Gateway (2.5.x, 2.7.x, 2.8.x prior to 2.8.1) and Horizon View (7.x prior to 7.1.0, 6.x prior to 6.2.4) contain a heap buffer-overflow vulnerability which may allow a remote attacker to execute code on the security gateway. | ||||
| CVE-2016-5007 | 2 Pivotal Software, Vmware | 3 Spring Framework, Spring Framework, Spring Security | 2025-04-20 | N/A |
| Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences. | ||||
| CVE-2017-4919 | 1 Vmware | 1 Vcenter Server | 2025-04-20 | N/A |
| VMware vCenter Server 5.5, 6.0, 6.5 allows vSphere users with certain, limited vSphere privileges to use the VIX API to access Guest Operating Systems without the need to authenticate. | ||||
| CVE-2017-4920 | 1 Vmware | 1 Nsx-v Edge | 2025-04-20 | N/A |
| The implementation of the OSPF protocol in VMware NSX-V Edge 6.2.x prior to 6.2.8 and NSX-V Edge 6.3.x prior to 6.3.3 doesn't correctly handle the link-state advertisement (LSA). A rogue LSA may exploit this issue resulting in continuous sending of LSAs between two routers eventually going in loop or loss of connectivity. | ||||