Executive Summary
| Summary | |
|---|---|
| Title | VMware vCenter Update Manager fix for Jetty Web server addresses directory traversal vulnerability |
| Informations | |||
|---|---|---|---|
| Name | VMSA-2011-0014 | First vendor Publication | 2011-11-17 |
| Vendor | VMware | Last vendor Modification | 2011-11-17 |
| Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N) | |||
|---|---|---|---|
| Cvss Base Score | 5 | Attack Range | Network |
| Cvss Impact Score | 2.9 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| a. Directory traversal in third party Jetty Web server component VMware vSphere Update Manager is an automated patch management solution for VMware ESX hosts and Microsoft virtual machines. Update Manager embeds the Jetty Web server which is a third party component. The way the Jetty Web Server in vSphere Update Manager is configured allows for directory traversal. This issue is a variant of the directory traversal issue that was addressed in earlier versions of vSphere Update Manager. See VMSA-2010-0012 for additional information. VMware would like to thank Alexey Sintsov from Digital Security Research Group for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-4404 to this issue. |
Original Source
| Url : http://www.vmware.com/security/advisories/VMSA-2011-0014.html |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-16 | Configuration |
CPE : Common Platform Enumeration
ExploitDB Exploits
| id | Description |
|---|---|
| 2011-11-21 | VMware Update Manager Directory Traversal |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 54186 | Jetty HTTP Server Document Root Traversal Arbitrary File Access Jetty contains a flaw that allows a remote attacker to access files outside of the web path. The issue is due to the ResourceHandler and DefaultServlet's alias handling not properly sanitizing user input, specifically directory traversal style attacks (../../). |
Information Assurance Vulnerability Management (IAVM)
| Date | Description |
|---|---|
| 2011-12-01 | IAVM : 2011-A-0160 - Multiple Vulnerabilities in VMware vCenter Server 4.0 and vCenter Update Mana... Severity : Category I - VMSKEY : V0030769 |
Metasploit Database
| id | Description |
|---|---|
| 2011-11-21 | VMWare Update Manager 4 Directory Traversal |
| 2011-11-21 | VMWare Update Manager 4 Directory Traversal |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2011-11-28 | Name : An application on the remote web server has a directory traversal vulnerability. File : vmware_vcenter_update_mgr_vmsa-2011-0014.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2020-05-23 13:17:15 |
|
| 2015-06-10 21:26:00 |
|
| 2014-02-17 12:07:21 |
|
| 2014-01-03 17:19:09 |
|
| 2013-11-11 12:41:40 |
|
