CVE-2019-5537
Severity CVSS v4.0:
Pending analysis
Type:
CWE-295
Improper Certificate Validation
Publication date:
28/10/2019
Last modified:
24/08/2021
Description
Sensitive information disclosure vulnerability resulting from a lack of certificate validation during the File-Based Backup and Restore operations of VMware vCenter Server Appliance (6.7 before 6.7u3a and 6.5 before 6.5u3d) may allow a malicious actor to intercept sensitive data in transit over FTPS and HTTPS. A malicious actor with man-in-the-middle positioning between vCenter Server Appliance and a backup target may be able to intercept sensitive data in transit during File-Based Backup and Restore operations.
Impact
Base Score 3.x
5.90
Severity 3.x
MEDIUM
Base Score 2.0
4.30
Severity 2.0
MEDIUM
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:a:vmware:vcenter_server:6.5:-:*:*:*:*:*:* | ||
cpe:2.3:a:vmware:vcenter_server:6.5:a:*:*:*:*:*:* | ||
cpe:2.3:a:vmware:vcenter_server:6.5:b:*:*:*:*:*:* | ||
cpe:2.3:a:vmware:vcenter_server:6.5:c:*:*:*:*:*:* | ||
cpe:2.3:a:vmware:vcenter_server:6.5:d:*:*:*:*:*:* | ||
cpe:2.3:a:vmware:vcenter_server:6.5:e:*:*:*:*:*:* | ||
cpe:2.3:a:vmware:vcenter_server:6.5:f:*:*:*:*:*:* | ||
cpe:2.3:a:vmware:vcenter_server:6.5:update1:*:*:*:*:*:* | ||
cpe:2.3:a:vmware:vcenter_server:6.5:update1b:*:*:*:*:*:* | ||
cpe:2.3:a:vmware:vcenter_server:6.5:update1c:*:*:*:*:*:* | ||
cpe:2.3:a:vmware:vcenter_server:6.5:update1d:*:*:*:*:*:* | ||
cpe:2.3:a:vmware:vcenter_server:6.5:update1e:*:*:*:*:*:* | ||
cpe:2.3:a:vmware:vcenter_server:6.5:update1g:*:*:*:*:*:* | ||
cpe:2.3:a:vmware:vcenter_server:6.5:update2:*:*:*:*:*:* | ||
cpe:2.3:a:vmware:vcenter_server:6.5:update2b:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page