CVE-2014-4632

2015-02-0102:59:00

CWE-310

[email protected]

web.nvd.nist.gov

cve-2014-4632

vmware

vsphere

data protection

vdp

emc avamar

ssl

certificate

man-in-the-middle

spoofing

security vulnerability

6.2 Medium

AI Score

Confidence

Low

4.3 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

28.5%

JSON

VMware vSphere Data Protection (VDP) 5.1, 5.5 before 5.5.9, and 5.8 before 5.8.1 and the proxy client in EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x do not properly verify X.509 certificates from vCenter Server SSL servers, which allows man-in-the-middle attackers to spoof servers, and bypass intended backup and restore access restrictions, via a crafted certificate.

Affected configurations

NVD

Node

vmwarevsphere_data_protectionMatch5.1

vmwarevsphere_data_protectionMatch5.5.1

vmwarevsphere_data_protectionMatch5.5.6

vmwarevsphere_data_protectionMatch5.5.7

vmwarevsphere_data_protectionMatch5.5.8

vmwarevsphere_data_protectionMatch5.8.0

CPENameOperatorVersion
vmware:vsphere_data_protectionvmware vsphere data protectioneq5.1
vmware:vsphere_data_protectionvmware vsphere data protectioneq5.5.1
vmware:vsphere_data_protectionvmware vsphere data protectioneq5.5.6
vmware:vsphere_data_protectionvmware vsphere data protectioneq5.5.7
vmware:vsphere_data_protectionvmware vsphere data protectioneq5.5.8
vmware:vsphere_data_protectionvmware vsphere data protectioneq5.8.0

CPE	Name	Operator	Version
vmware:vsphere_data_protection	vmware vsphere data protection	eq	5.1
vmware:vsphere_data_protection	vmware vsphere data protection	eq	5.5.1
vmware:vsphere_data_protection	vmware vsphere data protection	eq	5.5.6
vmware:vsphere_data_protection	vmware vsphere data protection	eq	5.5.7
vmware:vsphere_data_protection	vmware vsphere data protection	eq	5.5.8
vmware:vsphere_data_protection	vmware vsphere data protection	eq	5.8.0