CVE-2016-7459 - OpenCVE

VMware vCenter Server 5.5 before U3e and 6.0 before U2a allows remote authenticated users to read arbitrary files via a (1) Log Browser, (2) Distributed Switch setup, or (3) Content Library XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Vmware	Vcenter Server

Configuration 1 [-]

OR	cpe:2.3:a:vmware:vcenter_server:5.0:::::::*
	cpe:2.3:a:vmware:vcenter_server:5.5:::::::*
	cpe:2.3:a:vmware:vcenter_server:5.5:1::::::
	cpe:2.3:a:vmware:vcenter_server:5.5:2::::::
	cpe:2.3:a:vmware:vcenter_server:5.5:3a::::::
	cpe:2.3:a:vmware:vcenter_server:5.5:3b::::::
	cpe:2.3:a:vmware:vcenter_server:6.0:::::::*
	cpe:2.3:a:vmware:vcenter_server:6.0:1::::::
	cpe:2.3:a:vmware:vcenter_server:6.0:1b::::::
	cpe:2.3:a:vmware:vcenter_server:6.0:2::::::
	cpe:2.3:a:vmware:vcenter_server:6.0:2m::::::
	cpe:2.3:a:vmware:vcenter_server:6.0:a::::::
	cpe:2.3:a:vmware:vcenter_server:6.0:b::::::

No data.

References

Link	Providers
http://www.securityfocus.com/bid/94486
http://www.securitytracker.com/id/1037329
http://www.vmware.com/security/advisories/VMSA-2016-0022.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2016-12-29T09:02:00

Updated: 2024-08-06T01:57:47.651Z

Reserved: 2016-09-09T00:00:00

Link: CVE-2016-7459

Vulnrichment

No data.

NVD

Status : Modified

Published: 2016-12-29T09:59:00.633

Modified: 2018-10-30T16:27:38.560

Link: CVE-2016-7459

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-11-22T00:00:00", "descriptions": [{"lang": "en", "value": "VMware vCenter Server 5.5 before U3e and 6.0 before U2a allows remote authenticated users to read arbitrary files via a (1) Log Browser, (2) Distributed Switch setup, or (3) Content Library XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-27T09:57:01", "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware"}, "references": [{"name": "94486", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/94486"}, {"name": "1037329", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1037329"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.vmware.com/security/advisories/VMSA-2016-0022.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@vmware.com", "ID": "CVE-2016-7459", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "VMware vCenter Server 5.5 before U3e and 6.0 before U2a allows remote authenticated users to read arbitrary files via a (1) Log Browser, (2) Distributed Switch setup, or (3) Content Library XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "94486", "refsource": "BID", "url": "http://www.securityfocus.com/bid/94486"}, {"name": "1037329", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1037329"}, {"name": "http://www.vmware.com/security/advisories/VMSA-2016-0022.html", "refsource": "CONFIRM", "url": "http://www.vmware.com/security/advisories/VMSA-2016-0022.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T01:57:47.651Z"}, "title": "CVE Program Container", "references": [{"name": "94486", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/94486"}, {"name": "1037329", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1037329"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.vmware.com/security/advisories/VMSA-2016-0022.html"}]}]}, "cveMetadata": {"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "assignerShortName": "vmware", "cveId": "CVE-2016-7459", "datePublished": "2016-12-29T09:02:00", "dateReserved": "2016-09-09T00:00:00", "dateUpdated": "2024-08-06T01:57:47.651Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:vcenter_server:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "46C704E0-E165-4A44-A104-6C5B83A83237", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:vcenter_server:5.5:*:*:*:*:*:*:*", "matchCriteriaId": "8B12523A-5C1E-408F-BB4B-98EF32C7D676", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:vcenter_server:5.5:1:*:*:*:*:*:*", "matchCriteriaId": "C06379AA-13C0-41FB-B63C-0C46D6DD0462", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:vcenter_server:5.5:2:*:*:*:*:*:*", "matchCriteriaId": "8339BAB3-D6C9-426A-9C1D-9F2AB946BF96", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:vcenter_server:5.5:3a:*:*:*:*:*:*", "matchCriteriaId": "23D847E4-5869-476A-B85F-29D8D5FDB68D", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:vcenter_server:5.5:3b:*:*:*:*:*:*", "matchCriteriaId": "5F8CC145-0D3F-4E42-BA46-403586EC608A", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:vcenter_server:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "7499E57A-1F9C-45F0-93F8-F3FB7B0F990F", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:vcenter_server:6.0:1:*:*:*:*:*:*", "matchCriteriaId": "43BEE461-85B7-4C19-8FBA-4460186DC58A", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:vcenter_server:6.0:1b:*:*:*:*:*:*", "matchCriteriaId": "E8249B2E-251F-4ED9-836F-E5D4C90D4EA6", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:vcenter_server:6.0:2:*:*:*:*:*:*", "matchCriteriaId": "ED78D4B1-5959-46F1-8DEE-7DE3BE38BAE3", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:vcenter_server:6.0:2m:*:*:*:*:*:*", "matchCriteriaId": "6C722953-08D7-4763-84CB-144D40D99EAC", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:vcenter_server:6.0:a:*:*:*:*:*:*", "matchCriteriaId": "74EE8EE5-54F0-4359-898B-C57C5B2AE7C4", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:vcenter_server:6.0:b:*:*:*:*:*:*", "matchCriteriaId": "F83AAB8E-F129-4D1C-A4BC-4CC2C1777F5F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "VMware vCenter Server 5.5 before U3e and 6.0 before U2a allows remote authenticated users to read arbitrary files via a (1) Log Browser, (2) Distributed Switch setup, or (3) Content Library XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue."}, {"lang": "es", "value": "VMware vCenter Server 5.5 en versiones anteriores a U3e y 6.0 en versiones anteriores a U2a permite a usuarios remotos autenticados leer archivos arbitrarios a trav\u00e9s de un documento (1) Log Browser, (2) Distributed Switch setup, o (3) Content Library XML que contiene una declaraci\u00f3n de entidad externa en conjunci\u00f3n con una referencia de entidad, relacionado con un problema XML External Entity (XXE)."}], "id": "CVE-2016-7459", "lastModified": "2018-10-30T16:27:38.560", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-12-29T09:59:00.633", "references": [{"source": "security@vmware.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/94486"}, {"source": "security@vmware.com", "url": "http://www.securitytracker.com/id/1037329"}, {"source": "security@vmware.com", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.vmware.com/security/advisories/VMSA-2016-0022.html"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}