CVE-2011-2217

2011-06-0619:55:03

CWE-119

[email protected]

web.nvd.nist.gov

cve-2011-2217

activex controls

tom sawyer get

vmware infrastructure client

code execution

denial of service

memory corruption

remote attackers

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

7.5 High

AI Score

Confidence

Low

0.958 High

EPSS

Percentile

99.5%

JSON

Certain ActiveX controls in (1) tsgetxu71ex552.dll and (2) tsgetx71ex552.dll in Tom Sawyer GET Extension Factory 5.5.2.237, as used in VI Client (aka VMware Infrastructure Client) 2.0.2 before Build 230598 and 2.5 before Build 204931 in VMware Infrastructure 3, do not properly handle attempted initialization within Internet Explorer, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted HTML document.

Affected configurations

NVD

Node

tomsawyerget_extension_factoryMatch5.5.2.237

vmwarevirtual_infrastructure_clientMatch2.0.2

vmwarevirtual_infrastructure_clientMatch2.5

AND

vmwareinfrastructureMatch3

CPENameOperatorVersion
tomsawyer:get_extension_factorytomsawyer get extension factoryeq5.5.2.237
vmware:virtual_infrastructure_clientvmware virtual infrastructure clienteq2.0.2
vmware:virtual_infrastructure_clientvmware virtual infrastructure clienteq2.5
vmware:infrastructurevmware infrastructureeq3

CPE	Name	Operator	Version
tomsawyer:get_extension_factory	tomsawyer get extension factory	eq	5.5.2.237
vmware:virtual_infrastructure_client	vmware virtual infrastructure client	eq	2.0.2
vmware:virtual_infrastructure_client	vmware virtual infrastructure client	eq	2.5
vmware:infrastructure	vmware infrastructure	eq	3