Select Page

Cybersecurity researchers today disclosed details for a new vulnerability in VMware’s Cloud Director platform that could potentially allow an attacker to gain access to sensitive information and control private clouds within an entire infrastructure.

Tracked as CVE-2020-3956, the code injection flaw stems from an improper input handling that could be abused by an authenticated attacker to send malicious traffic to Cloud Director, leading to the execution of arbitrary code.

It’s rated 8.8 out of 10 on the CVSS v.3 vulnerability severity scale, making it a critical vulnerability.

VMware Cloud Director is a popular deployment, automation, and management software that’s used to operate and manage cloud resources, allowing businesses to data centres distributed across different geographical locations into virtual data centres.

According to the company, the vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface, and API access.

The vulnerability impacts VMware Cloud Director versions 10.0.x before 10.0.0.2, 9.7.0.x before 9.7.0.5, 9.5.0.x before 9.5.0.6, and 9.1.0.x before 9.1.0.4.

The vulnerability was identified by a Prague-based ethical hacking firm Citadelo after it was hired earlier this year by an unnamed Fortune 500 enterprise customer to carry out a security audit of its cloud infrastructure.

images from Hacker News