VMware Tanzu products update for rsync



Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2022-29154
CWE-ID CWE-22
Exploitation vector Network
Public exploit N/A
Vulnerable software
 VMware Tanzu Application Service for VMs
Server applications / Other server solutions

Isolation Segment
Server applications / Other server solutions

Platform Automation Toolkit
Other software / Other software solutions

VMware Tanzu Operations Manager
Server applications / Virtualization software

Vendor VMware, Inc

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Path traversal

EUVDB-ID: #VU66189

Risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-29154

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote server to perform directory traversal attacks.

The vulnerability exists due to input validation error within the rsync client  when processing file names. A remote malicious server overwrite arbitrary files in the rsync client target directory and subdirectories on the connected peer.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

VMware Tanzu Application Service for VMs: All versions

Isolation Segment: All versions

Platform Automation Toolkit: before 4.4.31

VMware Tanzu Operations Manager: before

CPE2.3 External links

https://tanzu.vmware.com/security/usn-5921-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###