VMware vCloud Director 5.1.x < 5.1.3 Logout XSRF (VMSA-2014-0001)

This script is Copyright (C) 2014-2016 Tenable Network Security, Inc.


Synopsis :

A virtualization appliance installed on the remote host is affected
by a cross-site request forgery vulnerability.

Description :

The version of VMware vCloud Director installed on the remote host is
5.1.x prior to 5.1.3. It is, therefore, affected by a cross-site
request forgery (XSRF) vulnerability due to an error in HTTP session
management. A remote attacker can exploit this, by convincing a user
to follow specially crafted link, to cause the user to be logged out.
Note that the victimized user would be able to immediately log back
into the system.

See also :

https://www.vmware.com/security/advisories/VMSA-2014-0001

Solution :

Upgrade to VMware vCloud Director version 5.1.3 or later.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.9
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: Misc.

Nessus Plugin ID: 72119 ()

Bugtraq ID: 64993

CVE ID: CVE-2014-1211