Arbitrary code execution - CVE-2016-6646
Published: October 5, 2016
Vulnerability identifier: #VU765
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2016-6646
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor:
Affected software:
Detailed vulnerability description
The vulnerability allows a remote user to gain root privileges and cause arbitrary code execution on the target language.
The weakness is caused by input validation flaw in the vApp Manager in the GeneralCmdRequest, PersistantDataRequest, and GetCommandExecRequest classes. By connecting to port 5480 and causing that error attacker can trigger arbitrary code execution.
Successful exploitation of the vulnerability resuts in arbitrary code execution on the vulnerable system.
The weakness is caused by input validation flaw in the vApp Manager in the GeneralCmdRequest, PersistantDataRequest, and GetCommandExecRequest classes. By connecting to port 5480 and causing that error attacker can trigger arbitrary code execution.
Successful exploitation of the vulnerability resuts in arbitrary code execution on the vulnerable system.
How to mitigate CVE-2016-6646
Update to version 8.3.0.