CVE-2017-4928

Summary

The flash-based vSphere Web Client (6.0 prior to 6.0 U3c and 5.5 prior to 5.5 U3f) i.e. not the new HTML5-based vSphere Client, contains SSRF and CRLF injection issues due to improper neutralization of URLs. An attacker may exploit these issues by sending a POST request with modified headers towards internal services leading to information disclosure.

Affected Software

VendorProductVersion RangeStatus
VMwarevSphere Web Client6.0 prior to 6.0 U3caffected
VMwarevSphere Web Client5.5 prior to 5.5 U3faffected

Weaknesses

  • Server-side request forgery and carriage return line feed injection issues

ADP Enrichment

CVE Program Container

Additional References

References