VMware vCloud Director 5.1.x < 5.1.3 Logout XSRF (VMSA-2014-0001)

This script is Copyright (C) 2014-2016 Tenable Network Security, Inc.


Synopsis :

A virtualization appliance installed on the remote host is affected
by a cross-site request forgery vulnerability.

Description :

The version of VMware vCloud Director installed on the remote host is
5.1.x prior to 5.1.3. It is, therefore, affected by a cross-site
request forgery (XSRF) vulnerability due to an error in HTTP session
management. A remote attacker can exploit this, by convincing a user
to follow specially crafted link, to cause the user to be logged out.
Note that the victimized user would be able to immediately log back
into the system.

See also :

https://www.vmware.com/security/advisories/VMSA-2014-0001

Solution :

Upgrade to VMware vCloud Director version 5.1.3 or later.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.9
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: Misc.

Nessus Plugin ID: 72119 ()

Bugtraq ID: 64993

CVE ID: CVE-2014-1211

Ready to Scan Unlimited IPs & Run Compliance Checks?

Upgrade to Nessus Professional today!

Buy Now

Combine the Power of Nessus with the Ease of Cloud

Start your free Nessus Cloud trial now!

Begin Free Trial