VMware vCenter Server (6.7 before 6.7u3, 6.6 before 6.5u3k) contains a session hijack vulnerability in the vCenter Server Appliance Management Interface update function due to a lack of certificate validation. A malicious actor with network positioning between vCenter Server and an update repository may be able to perform a session hijack when the vCenter Server Appliance Management Interface is used to download vCenter updates.
The product does not validate, or incorrectly validates, a certificate.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Cloud_foundation | Vmware | 3.0 (including) | 3.9 (excluding) |
| Vcenter_server | Vmware | 6.5 (including) | 6.5 (including) |
| Vcenter_server | Vmware | 6.5-a (including) | 6.5-a (including) |
| Vcenter_server | Vmware | 6.5-b (including) | 6.5-b (including) |
| Vcenter_server | Vmware | 6.5-c (including) | 6.5-c (including) |
| Vcenter_server | Vmware | 6.5-d (including) | 6.5-d (including) |
| Vcenter_server | Vmware | 6.5-e (including) | 6.5-e (including) |
| Vcenter_server | Vmware | 6.5-f (including) | 6.5-f (including) |
| Vcenter_server | Vmware | 6.5-update1 (including) | 6.5-update1 (including) |
| Vcenter_server | Vmware | 6.5-update1b (including) | 6.5-update1b (including) |
| Vcenter_server | Vmware | 6.5-update1c (including) | 6.5-update1c (including) |
| Vcenter_server | Vmware | 6.5-update1d (including) | 6.5-update1d (including) |
| Vcenter_server | Vmware | 6.5-update1e (including) | 6.5-update1e (including) |
| Vcenter_server | Vmware | 6.5-update1g (including) | 6.5-update1g (including) |
| Vcenter_server | Vmware | 6.5-update2 (including) | 6.5-update2 (including) |
| Vcenter_server | Vmware | 6.5-update2b (including) | 6.5-update2b (including) |
| Vcenter_server | Vmware | 6.5-update2c (including) | 6.5-update2c (including) |
| Vcenter_server | Vmware | 6.5-update2d (including) | 6.5-update2d (including) |
| Vcenter_server | Vmware | 6.5-update2g (including) | 6.5-update2g (including) |
| Vcenter_server | Vmware | 6.5-update3 (including) | 6.5-update3 (including) |
| Vcenter_server | Vmware | 6.5-update3d (including) | 6.5-update3d (including) |
| Vcenter_server | Vmware | 6.7 (including) | 6.7 (including) |
| Vcenter_server | Vmware | 6.7-a (including) | 6.7-a (including) |
| Vcenter_server | Vmware | 6.7-b (including) | 6.7-b (including) |
| Vcenter_server | Vmware | 6.7-d (including) | 6.7-d (including) |
| Vcenter_server | Vmware | 6.7-update1 (including) | 6.7-update1 (including) |
| Vcenter_server | Vmware | 6.7-update1b (including) | 6.7-update1b (including) |
| Vcenter_server | Vmware | 6.7-update2 (including) | 6.7-update2 (including) |
| Vcenter_server | Vmware | 6.7-update2a (including) | 6.7-update2a (including) |
| Vcenter_server | Vmware | 6.7-update2c (including) | 6.7-update2c (including) |