Main Vulnerability Database Vulnerabilities #VU78940

Information disclosure in Omniverse Workstation Launcher - CVE-2023-25524

Published: August 4, 2023

Vulnerability identifier: #VU78940

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-25524

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Omniverse Workstation Launcher

Software vendor:
VMware, Inc

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to an error in the authentication flow, where a user’s access token is displayed in the browser user's address bar. A remote attacker can obtain the token by various means (e.g. via HTTP Referer header) and impersonate the victim to access launcher resources.

Remediation

Install updates from vendor's website.

External links

https://nvidia.custhelp.com/app/answers/detail/a_id/5472

Information disclosure in Omniverse Workstation Launcher - CVE-2023-25524

Description

Remediation

External links

Please verify you're human