VMware vCenter Server 6.0.x < 6.0u2 Unspecified HTTP Header Injection (VMSA-2016-0010)

Medium Nessus Plugin ID 92870


A virtualization management application installed on the remote host is affected by an HTTP header injection vulnerability.


The version of VMware vCenter Server installed on the remote host is 6.0.x prior to 6.0u2. It is, therefore, affected by an HTTP header injection vulnerability due to improper sanitization of user-supplied input. A remote attacker can exploit this to inject arbitrary HTTP headers and conduct HTTP response splitting attacks.


Upgrade to VMware vCenter Server version 6.0u2 (6.0.0 build-3634788) or later.

See Also


Plugin Details

Severity: Medium

ID: 92870

File Name: vmware_vcenter_vmsa-2016-0010.nasl

Version: $Revision: 1.5 $

Type: remote

Family: Misc.

Published: 2016/08/11

Modified: 2016/11/29

Dependencies: 63061

Risk Information

Risk Factor: Medium


Base Score: 5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

Temporal Vector: CVSS2#E:F/RL:OF/RC:ND


Base Score: 5.3

Temporal Score: 4.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:X

Vulnerability Information

CPE: cpe:/a:vmware:vcenter_server

Required KB Items: Host/VMware/vCenter, Host/VMware/version, Host/VMware/release

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2016/08/04

Vulnerability Publication Date: 2016/08/04

Reference Information

CVE: CVE-2016-5331

BID: 92324

OSVDB: 142633

VMSA: 2016-0010