CVE Vulnerabilities

CVE-2019-5538

Improper Certificate Validation

Published: Oct 28, 2019 | Modified: Aug 24, 2021
CVSS 3.x
5.9
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
4.3 MEDIUM
AV:N/AC:M/Au:N/C:P/I:N/A:N
RedHat/V2
RedHat/V3
Ubuntu

Sensitive information disclosure vulnerability resulting from a lack of certificate validation during the File-Based Backup and Restore operations of VMware vCenter Server Appliance (6.7 before 6.7u3a and 6.5 before 6.5u3d) may allow a malicious actor to intercept sensitive data in transit over SCP. A malicious actor with man-in-the-middle positioning between vCenter Server Appliance and a backup target may be able to intercept sensitive data in transit during File-Based Backup and Restore operations.

Weakness

The product does not validate, or incorrectly validates, a certificate.

Affected Software

Name Vendor Start Version End Version
Vcenter_server Vmware 6.5 (including) 6.5 (including)
Vcenter_server Vmware 6.5-a (including) 6.5-a (including)
Vcenter_server Vmware 6.5-b (including) 6.5-b (including)
Vcenter_server Vmware 6.5-c (including) 6.5-c (including)
Vcenter_server Vmware 6.5-d (including) 6.5-d (including)
Vcenter_server Vmware 6.5-e (including) 6.5-e (including)
Vcenter_server Vmware 6.5-f (including) 6.5-f (including)
Vcenter_server Vmware 6.5-update1 (including) 6.5-update1 (including)
Vcenter_server Vmware 6.5-update1b (including) 6.5-update1b (including)
Vcenter_server Vmware 6.5-update1c (including) 6.5-update1c (including)
Vcenter_server Vmware 6.5-update1d (including) 6.5-update1d (including)
Vcenter_server Vmware 6.5-update1e (including) 6.5-update1e (including)
Vcenter_server Vmware 6.5-update1g (including) 6.5-update1g (including)
Vcenter_server Vmware 6.5-update2 (including) 6.5-update2 (including)
Vcenter_server Vmware 6.5-update2b (including) 6.5-update2b (including)
Vcenter_server Vmware 6.5-update2c (including) 6.5-update2c (including)
Vcenter_server Vmware 6.5-update2d (including) 6.5-update2d (including)
Vcenter_server Vmware 6.5-update2g (including) 6.5-update2g (including)
Vcenter_server Vmware 6.5-update3 (including) 6.5-update3 (including)
Vcenter_server Vmware 6.7 (including) 6.7 (including)
Vcenter_server Vmware 6.7-a (including) 6.7-a (including)
Vcenter_server Vmware 6.7-b (including) 6.7-b (including)
Vcenter_server Vmware 6.7-d (including) 6.7-d (including)
Vcenter_server Vmware 6.7-update1 (including) 6.7-update1 (including)
Vcenter_server Vmware 6.7-update1b (including) 6.7-update1b (including)
Vcenter_server Vmware 6.7-update2 (including) 6.7-update2 (including)
Vcenter_server Vmware 6.7-update2a (including) 6.7-update2a (including)
Vcenter_server Vmware 6.7-update2c (including) 6.7-update2c (including)
Vcenter_server Vmware 6.7-update3 (including) 6.7-update3 (including)

Potential Mitigations

References