Main Vulnerability Database SB2016112301

SB2016112301 - XXE attack in VMware vSphere Client

Published: November 23, 2016

Security Bulletin ID SB2016112301

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) XXE attack (CVE-ID: CVE-2016-7458)

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to incorrect handling of XML requests. A remote attacker can trick the victim to connect to malicious vCenter Server or ESXi server, send to client specially crafted XML External Entity (XXE) data and obtain potentially sensitive information from victim's system.

Successful exploitation of the vulnerability may allow an attacker to obtain potentially sensitive information.

Remediation

Install update from vendor's website.

References

http://www.vmware.com/security/advisories/VMSA-2016-0022.html