Client Integration Plugin (CIP) in VMware vCenter Server 5.5 U3a, U3b, and U3c and 6.0 before U2; vCloud Director 5.5.5; and vRealize Automation Identity Appliance 6.2.4 before 6.2.4.1 mishandles session content, which allows remote attackers to hijack sessions via a crafted web site.
Weakness
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Vcenter_server | Vmware | * | 6.0 (including) |
| Vcenter_server | Vmware | 5.5-3a (including) | 5.5-3a (including) |
| Vcenter_server | Vmware | 5.5-3b (including) | 5.5-3b (including) |
| Vcenter_server | Vmware | 5.5-u3c (including) | 5.5-u3c (including) |
| Vcloud_automation_identity_appliance | Vmware | 6.2.4 (including) | 6.2.4 (including) |
| Vcloud_director | Vmware | 5.5.5 (including) | 5.5.5 (including) |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/114.html
- https://cwe.mitre.org/data/definitions/115.html
- https://cwe.mitre.org/data/definitions/151.html
- https://cwe.mitre.org/data/definitions/194.html
- https://cwe.mitre.org/data/definitions/22.html
- https://cwe.mitre.org/data/definitions/57.html
- https://cwe.mitre.org/data/definitions/593.html
- https://cwe.mitre.org/data/definitions/633.html
- https://cwe.mitre.org/data/definitions/650.html
- https://cwe.mitre.org/data/definitions/94.html
References
- http://www.securitytracker.com/id/1035570
- http://www.securitytracker.com/id/1035571
- http://www.securitytracker.com/id/1035572
- http://www.vmware.com/security/advisories/VMSA-2016-0004.html
- http://www.securitytracker.com/id/1035570
- http://www.securitytracker.com/id/1035571
- http://www.securitytracker.com/id/1035572
- http://www.vmware.com/security/advisories/VMSA-2016-0004.html