CVE-2020-3952

critical

Description

Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls.

From the Tenable Blog

CVE-2020-3952: Sensitive Information Disclosure in VMware vCenter Server (VMSA-2020-0006)

CVE-2020-3952: Sensitive Information Disclosure in VMware vCenter Server (VMSA-2020-0006)

Published: 2020-04-10

VMware patches a critical information disclosure flaw in vCenter Server with a CVSSv3 score of 10.0. Background On April 9, VMware published VMSA-2020-0006, a security advisory for a critical vulnerability in vCenter Server that received the maximum CVSSv3 score of 10.0.

References

Tenable Blogs
More

https://www.tenable.com/blog/cve-2022-22948-vmware-vcenter-server-sensitive-information-disclosure-vulnerability

https://www.tenable.com/blog/cve-2020-3952-sensitive-information-disclosure-in-vmware-vcenter-server-vmsa-2020-0006

https://www.vmware.com/security/advisories/VMSA-2020-0006

http://packetstormsecurity.com/files/157896/VMware-vCenter-Server-6.7-Authentication-Bypass.html

Details

Source: Mitre, NVD

Published: 2020-04-10

Updated: 2025-03-13

Known Exploited Vulnerability (KEV)

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.93297