{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-31676", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "assignerShortName": "vmware", "dateUpdated": "2024-08-03T07:26:00.916Z", "dateReserved": "2022-05-25T00:00:00", "datePublished": "2022-08-23T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2022-10-31T00:00:00"}, "descriptions": [{"lang": "en", "value": "VMware Tools (12.0.0, 11.x.y and 10.x.y) contains a local privilege escalation vulnerability. A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine."}], "affected": [{"vendor": "n/a", "product": "VMware Tools", "versions": [{"version": "VMware Tools (12.0.0, 11.x.y and 10.x.y)", "status": "affected"}]}], "references": [{"url": "https://www.vmware.com/security/advisories/VMSA-2022-0024.html"}, {"name": "[oss-security] 20220823 [SECURITY ADVISORY] open-vm-tools: Local privilege escalation vulnerability (CVE-2022-31676)", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2022/08/23/3"}, {"name": "DSA-5215", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2022/dsa-5215"}, {"name": "[debian-lts-announce] 20220825 [SECURITY] [DLA 3081-1] open-vm-tools security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00013.html"}, {"name": "FEDORA-2022-cd23eac6f4", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O4TZF6QRJIDECGMEGBPXJCHZ6YC3VZ6Z/"}, {"name": "FEDORA-2022-1b8d3b2845", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C5VV2R4LV4T3SNQJYRLFD4C75HBDVV76/"}, {"name": "FEDORA-2022-1c9c0bacaf", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZA63DWRW7HROTVBNRIPBJQWBYIYAQMEW/"}, {"url": "https://security.netapp.com/advisory/ntap-20221017-0003/"}, {"name": "GLSA-202210-27", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202210-27"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Local privilege escalation vulnerability"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:26:00.916Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.vmware.com/security/advisories/VMSA-2022-0024.html", "tags": ["x_transferred"]}, {"name": "[oss-security] 20220823 [SECURITY ADVISORY] open-vm-tools: Local privilege escalation vulnerability (CVE-2022-31676)", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/08/23/3"}, {"name": "DSA-5215", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2022/dsa-5215"}, {"name": "[debian-lts-announce] 20220825 [SECURITY] [DLA 3081-1] open-vm-tools security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00013.html"}, {"name": "FEDORA-2022-cd23eac6f4", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O4TZF6QRJIDECGMEGBPXJCHZ6YC3VZ6Z/"}, {"name": "FEDORA-2022-1b8d3b2845", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C5VV2R4LV4T3SNQJYRLFD4C75HBDVV76/"}, {"name": "FEDORA-2022-1c9c0bacaf", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZA63DWRW7HROTVBNRIPBJQWBYIYAQMEW/"}, {"url": "https://security.netapp.com/advisory/ntap-20221017-0003/", "tags": ["x_transferred"]}, {"name": "GLSA-202210-27", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202210-27"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:tools:*:*:*:*:*:*:*:*", "matchCriteriaId": "85D2A005-C3F9-459B-BC91-A3DA727C0D51", "versionEndExcluding": "12.1.0", "versionStartIncluding": "10.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:tools:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7707956-2C9F-463A-8C77-D3E364915C24", "versionEndExcluding": "10.3.25", "versionStartIncluding": "10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:tools:*:*:*:*:*:*:*:*", "matchCriteriaId": "A571DE1F-02D4-4C4D-80C4-FE536D541C35", "versionEndExcluding": "12.1.0", "versionStartIncluding": "11.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*", "matchCriteriaId": "E7CF3019-975D-40BB-A8A4-894E62BD3797", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "VMware Tools (12.0.0, 11.x.y and 10.x.y) contains a local privilege escalation vulnerability. A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine."}, {"lang": "es", "value": "VMware Tools (versiones 12.0.0, 11.x.y y 10.x.y) contiene una vulnerabilidad de escalada de privilegios local. Un actor malicioso con acceso local no administrativo al Sistema Operativo invitado puede escalar privilegios como usuario root en la m\u00e1quina virtual."}], "id": "CVE-2022-31676", "lastModified": "2023-11-07T03:47:40.553", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-23T20:15:08.903", "references": [{"source": "security@vmware.com", "tags": ["Mailing List", "Patch", "Release Notes", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/08/23/3"}, {"source": "security@vmware.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00013.html"}, {"source": "security@vmware.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C5VV2R4LV4T3SNQJYRLFD4C75HBDVV76/"}, {"source": "security@vmware.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O4TZF6QRJIDECGMEGBPXJCHZ6YC3VZ6Z/"}, {"source": "security@vmware.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZA63DWRW7HROTVBNRIPBJQWBYIYAQMEW/"}, {"source": "security@vmware.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202210-27"}, {"source": "security@vmware.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20221017-0003/"}, {"source": "security@vmware.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5215"}, {"source": "security@vmware.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.vmware.com/security/advisories/VMSA-2022-0024.html"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:6381", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "open-vm-tools-0:11.0.5-3.el7_9.4", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2022-09-07T00:00:00Z"}, {"advisory": "RHSA-2022:6357", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "open-vm-tools-0:11.3.5-1.el8_6.1", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-09-06T00:00:00Z"}, {"advisory": "RHSA-2022:6354", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "open-vm-tools-0:10.3.10-3.el8_1.3", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2022-09-06T00:00:00Z"}, {"advisory": "RHSA-2022:6355", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "open-vm-tools-0:11.0.0-4.el8_2.1", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2022-09-06T00:00:00Z"}, {"advisory": "RHSA-2022:6356", "cpe": "cpe:/a:redhat:rhel_eus:8.4", "package": "open-vm-tools-0:11.2.0-2.el8_4.1", "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date": "2022-09-06T00:00:00Z"}, {"advisory": "RHSA-2022:6358", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "open-vm-tools-0:11.3.5-1.el9_0.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2022-09-06T00:00:00Z"}], "bugzilla": {"description": "open-vm-tools: local root privilege escalation in the virtual machine", "id": "2118714", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2118714"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-250", "details": ["VMware Tools (12.0.0, 11.x.y and 10.x.y) contains a local privilege escalation vulnerability. A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine.", "A flaw was found in open-vm-tools. A malicious actor with local non-administrative access to the guest operating system can escalate privileges as a root user in the virtual machine."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2022-31676", "public_date": "2022-08-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-31676\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-31676\nhttps://www.openwall.com/lists/oss-security/2022/08/23/3"], "threat_severity": "Important", "upstream_fix": "open-vm-tools 12.1.0"}