CVE-2023-20893

Опубликовано: 22 июн. 2023

Источник: nvd

CVSS3: 8.1

CVSS3: 9.8

EPSS Низкий

Описание

The VMware vCenter Server contains a use-after-free vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may exploit this issue to execute arbitrary code on the underlying operating system that hosts vCenter Server.

Ссылки

https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1799
https://www.vmware.com/security/advisories/VMSA-2023-0014.html
Patch
Vendor Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1799
https://www.vmware.com/security/advisories/VMSA-2023-0014.html
Patch
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:vmware:vcenter_server:*:*:*:*:*:*:*:*

Версия до 7.0 (исключая)

cpe:2.3:a:vmware:vcenter_server:7.0:-:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:a:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:b:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:c:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:d:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:update1:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:update1a:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:update1c:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:update1d:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:update2:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:update2a:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:update2b:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:update2c:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:update2d:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:update3:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:update3a:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:update3c:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:update3d:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:update3e:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:update3f:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:update3g:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:update3h:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:update3i:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:update3j:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:update3k:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:update3l:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:8.0:-:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:8.0:a:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:8.0:b:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:8.0:c:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:8.0:update1:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:8.0:update1a:*:*:*:*:*:*

EPSS

Процентиль: 84%

0.0233

Низкий

8.1 High

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-416

Связанные уязвимости

GHSA-r9q7-6mw7-hmpc

CVSS3: 8.1

github

больше 2 лет назад

BDU:2023-03589

CVSS3: 8.1

fstec

больше 2 лет назад

Уязвимость реализации протокола DCERPC программного обеспечения управления виртуальной инфраструктурой VMware vCenter Server, связанная с использованием памяти после ее освобождения, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 84%

0.0233

Низкий

8.1 High

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-416